Primary

Context

Craft CMS Unauthorized Asset Access Vulnerability

Vulnerability

Patched

A vulnerability exists in Craft CMS versions 4.0.0-RC1 prior to 4.17.8 and 5.0.0-RC1 prior to 5.9.14, allowing low-privileged authenticated users to access private asset content. This is achieved by sending a request to the 'assets/edit-image' endpoint with an arbitrary 'assetId' that the user is not authorized to view. The endpoint responds with image data or a preview redirect, without applying the necessary authorization checks for each asset, potentially leading to unauthorized disclosure of private files.

Impact

Exploitation of this vulnerability could result in unauthorized access to private asset content, allowing low-privileged users to read sensitive files they should not have access to.

Remediation

Users can upgrade to Craft CMS version 4.17.8 or 5.9.14 to address this vulnerability.

Added: Mar 24, 2026, 6:31 PM

Updated: Mar 24, 2026, 6:31 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

6.1

remediation

7.7

relevance

4.6

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

6.1

remediation

7.7

relevance

4.6

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Craft CMS Unauthorized Asset Access Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Craft CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating