CVE-2026-33160
Unauthorized Asset Access in Craft CMS via Transform URL Disclosure
Publication date: 2026-03-24
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 5.0.0 |
| craftcms | craft_cms | 5.0.0 |
| craftcms | craft_cms | From 4.0.0 (exc) to 4.17.8 (exc) |
| craftcms | craft_cms | From 5.0.0 (exc) to 5.9.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33160 is a vulnerability in Craft CMS versions from 4.0.0-RC1 up to before 4.17.8 and from 5.0.0-RC1 up to before 5.9.14. It allows an unauthenticated user to call the anonymous endpoint `assets/generate-transform` with a private asset ID.
Because this endpoint does not enforce authorization checks, the attacker can receive a valid transform URL and fetch transformed image bytes derived from private assets without any authentication.
The root cause is the lack of access validation on user-controlled asset references, leading to an authorization bypass and unauthorized disclosure of private asset content.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of private asset content stored in Craft CMS.
An attacker can access transformed versions of private images without authentication, potentially exposing sensitive or confidential information.
This could compromise the confidentiality of private assets and damage trust or privacy expectations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the anonymous endpoint `assets/generate-transform` with a private asset ID and checking if a valid transform URL is returned without authentication.'}, {'type': 'paragraph', 'content': 'A possible command to test this could be using curl to send a request to the endpoint with a known or guessed private asset ID, for example:'}, {'type': 'list_item', 'content': 'curl -v "https://your-craftcms-site.com/assets/generate-transform?assetId=PRIVATE_ASSET_ID"'}, {'type': 'paragraph', 'content': 'If the response returns a valid transform URL or image bytes without requiring authentication, the system is vulnerable.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Craft CMS to a patched version where this vulnerability is fixed.
- Upgrade to version 4.17.8 or later if you are on the 4.x branch.
- Upgrade to version 5.9.14 or later if you are on the 5.x branch.
Until the upgrade can be applied, restrict access to the `assets/generate-transform` endpoint to authenticated and authorized users only, if possible, to prevent unauthorized access.