CVE-2026-33158: Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)
(updated )
A low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view.
The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files.
References
- github.com/advisories/GHSA-3pvf-vxrv-hh9c
- github.com/craftcms/cms
- github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860
- github.com/craftcms/cms/releases/tag/4.17.8
- github.com/craftcms/cms/releases/tag/5.9.14
- github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c
- nvd.nist.gov/vuln/detail/CVE-2026-33158
Code Behaviors & Features
Detect and mitigate CVE-2026-33158 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →