CVE-2026-33158 MEDIUM

CVE-2026-33158: Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)

Vendor Craftcms
Product cms
Weakness CWE-639 · IDOR
Published March 24, 2026
Last update March 24, 2026

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files. This issue has been patched in versions 4.17.8 and 5.9.14.

Key dates

02Disclosure timeline

March 24, 2026 CVE published
March 24, 2026 Record updated