GHSA-44px-qjjc-xrhq: Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata

March 26, 2026

An authenticated low-privileged user can call assets/preview-file for an asset they are not authorized to view and still receive preview response data (previewHtml) for that private asset.

The returned preview HTML included a private preview image route containing the target private assetId, even though canView was false for the attacker account.

References

github.com/advisories/GHSA-44px-qjjc-xrhq
github.com/craftcms/cms
github.com/craftcms/cms/commit/b1cddf72c98a66801beb04ea4b07e72182b7b7db
github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27
github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq

Code Behaviors & Features

Detect and mitigate GHSA-44px-qjjc-xrhq with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →