GHSA-X76W-8C62-48MG: Missing Authorization in Craft CMS AssetsController Leads to Private Asset Disclosure
Vulnerability ID: GHSA-X76W-8C62-48MG
CVSS Score: 4.3
Published: 2026-07-06
An improper authorization vulnerability in Craft CMS allows authenticated Control Panel users to bypass volume view permissions and access signed fallback transform preview links for private assets via the assets/preview-thumb action.
TL;DR
Low-privileged Control Panel users can retrieve signed preview links for restricted assets due to missing authorization checks in the preview-thumb endpoint.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-862
- Attack Vector: Network (AV:N)
- CVSS Score: 4.3 (Medium)
- Impact: Information Disclosure / Private Asset Access
- Exploit Status: PoC / Theoretical
- KEV Status: Not Listed
Affected Systems
- Craft CMS
-
Craft CMS: >= 4.0.0, < 4.17.8 (Fixed in:
4.17.8) -
Craft CMS: >= 5.0.0, < 5.9.14 (Fixed in:
5.9.14)
Code Analysis
Commit: d30df31
Verify volume permissions in AssetsController::actionPreviewFile()
Exploit Details
- GitHub: Fix commit verifying volume view permissions in AssetsController
Mitigation Strategies
- Upgrade Craft CMS to a patched version (4.17.8+ or 5.9.14+).
- Restrict access to the Craft CMS Control Panel to trusted IP ranges.
- Implement monitoring for anomalous POST requests to the assets/preview-thumb endpoint.
Remediation Steps:
- Open a terminal in the Craft CMS root directory.
- Execute the command: composer update craftcms/cms
- Verify the installed version is 4.17.8 or higher, or 5.9.14 or higher.
- Test the preview endpoint with a low-privileged user to confirm an HTTP 403 status is returned for restricted assets.
References
- GitHub Security Advisory GHSA-X76W-8C62-48MG
- Craft CMS Security Advisory GHSA-x76w-8c62-48mg
- Craft CMS Fix Commit
Read the full report for GHSA-X76W-8C62-48MG on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)