Executive Summary

CVE-2026-33158 is a moderate severity vulnerability in Craft CMS that affects versions from 4.0.0-RC1 to before 4.17.8 and from 5.0.0-RC1 to before 5.9.14. It is an Insecure Direct Object Reference (IDOR) issue where a low-privileged authenticated user can access private asset content without proper authorization.

Specifically, by calling the endpoint `assets/edit-image` with an arbitrary assetId, the system returns image bytes or a preview redirect without verifying if the user has permission to view that asset. This happens because the assetId parameter is user-controlled and the system does not enforce per-asset view authorization checks, leading to unauthorized disclosure of private files.

This vulnerability has been patched in versions 4.17.8 and 5.9.14.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows low-privileged authenticated users to bypass authorization controls and access private or non-public asset contents that they should not be able to view.

As a result, sensitive or confidential files stored as private assets in Craft CMS installations could be exposed to unauthorized users, leading to potential information disclosure.

This unauthorized access could compromise the confidentiality of private data, potentially damaging trust, violating privacy expectations, and exposing sensitive business or personal information.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized access to private asset content via the `assets/edit-image` endpoint by supplying an arbitrary `assetId` parameter without proper authorization checks.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system or network, you can monitor HTTP requests targeting the `assets/edit-image` endpoint, especially those made by low-privileged authenticated users.'}, {'type': 'paragraph', 'content': 'Suggested commands include using web server logs or network monitoring tools to filter requests:'}, {'type': 'list_item', 'content': 'Using grep on web server access logs to find suspicious requests: `grep "/assets/edit-image" /path/to/access.log`'}, {'type': 'list_item', 'content': 'Using curl to test if unauthorized asset IDs return image data (only on a test system): `curl -i -b cookies.txt "https://your-craftcms-site.com/assets/edit-image?assetId=ARBITRARY_ID"`'}, {'type': 'list_item', 'content': 'Using intrusion detection systems or web application firewalls (WAF) to alert on requests to `assets/edit-image` with unusual or unauthorized asset IDs.'}, {'type': 'paragraph', 'content': 'Note that detection requires authenticated user context and monitoring for access attempts to asset IDs that the user should not have permission to view.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Craft CMS to a patched version where this vulnerability is fixed.

• Upgrade to version 4.17.8 or later if you are using the 4.x branch.
• Upgrade to version 5.9.14 or later if you are using the 5.x branch.

These versions include fixes that enforce proper per-asset authorization checks on the `assets/edit-image` endpoint, preventing unauthorized access.

Additionally, review and tighten user permissions to ensure that low-privileged users do not have unnecessary access to asset management features.

If immediate upgrade is not possible, consider restricting access to the `assets/edit-image` endpoint via network controls or web application firewall rules to block unauthorized requests.

Useful 0 Not Useful 0