Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-33161 is a low-severity vulnerability in Craft CMS affecting versions from 4.0.0-RC1 up to before 4.17.8 and from 5.0.0-RC1 up to before 5.9.14. The issue occurs in the "assets/image-editor" endpoint, where a low-privileged authenticated user can request the ID of a private asset they are not authorized to view and still receive private editing metadata, including focalPoint data.'}, {'type': 'paragraph', 'content': 'This happens because the endpoint returns private asset editor metadata without performing proper per-asset authorization validation, allowing unauthorized disclosure of sensitive editing information.'}, {'type': 'paragraph', 'content': 'The root cause is missing authorization checks before returning the response, classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-862 (Missing Authorization).'}] [1]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure of private editing metadata for assets that a user is not authorized to view. Even low-privileged authenticated users can access sensitive information such as focalPoint data of private assets.

Such information disclosure could potentially expose sensitive content details or editing context that should remain confidential, undermining the privacy and security of asset data within the CMS.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized disclosure of private asset editor metadata via the "assets/image-editor" endpoint when accessed by a low-privileged authenticated user.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can attempt to access the "assets/image-editor" endpoint with the ID of a private asset that your user account should not have permission to view.'}, {'type': 'paragraph', 'content': 'If the response includes private editing metadata such as focalPoint data or other editor context for assets you are not authorized to view, your system is vulnerable.'}, {'type': 'paragraph', 'content': 'Example command using curl to test this (replace <asset_id> and <auth_token> accordingly):'}, {'type': 'list_item', 'content': 'curl -X POST https://your-craftcms-site.com/actions/assets/image-editor -H "Authorization: Bearer <auth_token>" -d "assetId=<asset_id>" -v'}, {'type': 'paragraph', 'content': 'Analyze the response for any private metadata returned despite insufficient permissions.'}] [1]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

[{'type': 'paragraph', 'content': 'The vulnerability has been patched in Craft CMS versions 4.17.8 and 5.9.14.'}, {'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Upgrade your Craft CMS installation to version 4.17.8 or later if you are on the 4.x branch, or to version 5.9.14 or later if you are on the 5.x branch.'}, {'type': 'list_item', 'content': "Ensure that permission checks are properly enforced on asset preview and image editor endpoints, specifically requiring users to have 'viewAssets' permission on the asset's volume and 'viewPeerAssets' permission on peer volumes."}, {'type': 'paragraph', 'content': 'These steps prevent unauthorized users from accessing private asset metadata and mitigate the information disclosure vulnerability.'}] [2]

Useful 0 Not Useful 0