DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-X76W-8C62-48MG: GHSA-X76W-8C62-48MG: Missing Authorization in Craft CMS AssetsController Leads to Private Asset Disclosure

GHSA-X76W-8C62-48MG: Missing Authorization in Craft CMS AssetsController Leads to Private Asset Disclosure

Vulnerability ID: GHSA-X76W-8C62-48MG
CVSS Score: 4.3
Published: 2026-07-06

An improper authorization vulnerability in Craft CMS allows authenticated Control Panel users to bypass volume view permissions and access signed fallback transform preview links for private assets via the assets/preview-thumb action.

TL;DR

Low-privileged Control Panel users can retrieve signed preview links for restricted assets due to missing authorization checks in the preview-thumb endpoint.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-862
  • Attack Vector: Network (AV:N)
  • CVSS Score: 4.3 (Medium)
  • Impact: Information Disclosure / Private Asset Access
  • Exploit Status: PoC / Theoretical
  • KEV Status: Not Listed

Affected Systems

  • Craft CMS
  • Craft CMS: >= 4.0.0, < 4.17.8 (Fixed in: 4.17.8)
  • Craft CMS: >= 5.0.0, < 5.9.14 (Fixed in: 5.9.14)

Code Analysis

Commit: d30df31

Verify volume permissions in AssetsController::actionPreviewFile()

Exploit Details

  • GitHub: Fix commit verifying volume view permissions in AssetsController

Mitigation Strategies

  • Upgrade Craft CMS to a patched version (4.17.8+ or 5.9.14+).
  • Restrict access to the Craft CMS Control Panel to trusted IP ranges.
  • Implement monitoring for anomalous POST requests to the assets/preview-thumb endpoint.

Remediation Steps:

  1. Open a terminal in the Craft CMS root directory.
  2. Execute the command: composer update craftcms/cms
  3. Verify the installed version is 4.17.8 or higher, or 5.9.14 or higher.
  4. Test the preview endpoint with a low-privileged user to confirm an HTTP 403 status is returned for restricted assets.

References


Read the full report for GHSA-X76W-8C62-48MG on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)