CVE-2026-33160
Received Received - Intake
Unauthorized Asset Access in Craft CMS via Transform URL Disclosure

Publication date: 2026-03-24

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL. This issue has been patched in versions 4.17.8 and 5.9.14.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33160
EUVD
EUVD-2026-14940
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 5.0.0
craftcms craft_cms 5.0.0
craftcms craft_cms From 4.0.0 (exc) to 4.17.8 (exc)
craftcms craft_cms From 5.0.0 (exc) to 5.9.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33160 is a vulnerability in Craft CMS versions from 4.0.0-RC1 up to before 4.17.8 and from 5.0.0-RC1 up to before 5.9.14. It allows an unauthenticated user to call the anonymous endpoint `assets/generate-transform` with a private asset ID.

Because this endpoint does not enforce authorization checks, the attacker can receive a valid transform URL and fetch transformed image bytes derived from private assets without any authentication.

The root cause is the lack of access validation on user-controlled asset references, leading to an authorization bypass and unauthorized disclosure of private asset content.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of private asset content stored in Craft CMS.

An attacker can access transformed versions of private images without authentication, potentially exposing sensitive or confidential information.

This could compromise the confidentiality of private assets and damage trust or privacy expectations.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the anonymous endpoint `assets/generate-transform` with a private asset ID and checking if a valid transform URL is returned without authentication.'}, {'type': 'paragraph', 'content': 'A possible command to test this could be using curl to send a request to the endpoint with a known or guessed private asset ID, for example:'}, {'type': 'list_item', 'content': 'curl -v "https://your-craftcms-site.com/assets/generate-transform?assetId=PRIVATE_ASSET_ID"'}, {'type': 'paragraph', 'content': 'If the response returns a valid transform URL or image bytes without requiring authentication, the system is vulnerable.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Craft CMS to a patched version where this vulnerability is fixed.

  • Upgrade to version 4.17.8 or later if you are on the 4.x branch.
  • Upgrade to version 5.9.14 or later if you are on the 5.x branch.

Until the upgrade can be applied, restrict access to the `assets/generate-transform` endpoint to authenticated and authorized users only, if possible, to prevent unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33160. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart