CVE-2026-33161
Received Received - Intake
Information Disclosure via Insecure Asset Metadata in Craft CMS

Publication date: 2026-03-24

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. This issue has been patched in versions 4.17.8 and 5.9.14.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33161
EUVD
EUVD-2026-14942
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 5.0.0
craftcms craft_cms 5.0.0
craftcms craft_cms From 4.0.0 (exc) to 4.17.8 (exc)
craftcms craft_cms From 5.0.0 (exc) to 5.9.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33161 is a low-severity vulnerability in Craft CMS affecting versions from 4.0.0-RC1 up to before 4.17.8 and from 5.0.0-RC1 up to before 5.9.14. The issue occurs in the "assets/image-editor" endpoint, where a low-privileged authenticated user can request the ID of a private asset they are not authorized to view and still receive private editing metadata, including focalPoint data.'}, {'type': 'paragraph', 'content': 'This happens because the endpoint returns private asset editor metadata without performing proper per-asset authorization validation, allowing unauthorized disclosure of sensitive editing information.'}, {'type': 'paragraph', 'content': 'The root cause is missing authorization checks before returning the response, classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-862 (Missing Authorization).'}] [1]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of private editing metadata for assets that a user is not authorized to view. Even low-privileged authenticated users can access sensitive information such as focalPoint data of private assets.

Such information disclosure could potentially expose sensitive content details or editing context that should remain confidential, undermining the privacy and security of asset data within the CMS.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized disclosure of private asset editor metadata via the "assets/image-editor" endpoint when accessed by a low-privileged authenticated user.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can attempt to access the "assets/image-editor" endpoint with the ID of a private asset that your user account should not have permission to view.'}, {'type': 'paragraph', 'content': 'If the response includes private editing metadata such as focalPoint data or other editor context for assets you are not authorized to view, your system is vulnerable.'}, {'type': 'paragraph', 'content': 'Example command using curl to test this (replace <asset_id> and <auth_token> accordingly):'}, {'type': 'list_item', 'content': 'curl -X POST https://your-craftcms-site.com/actions/assets/image-editor -H "Authorization: Bearer <auth_token>" -d "assetId=<asset_id>" -v'}, {'type': 'paragraph', 'content': 'Analyze the response for any private metadata returned despite insufficient permissions.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The vulnerability has been patched in Craft CMS versions 4.17.8 and 5.9.14.'}, {'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Upgrade your Craft CMS installation to version 4.17.8 or later if you are on the 4.x branch, or to version 5.9.14 or later if you are on the 5.x branch.'}, {'type': 'list_item', 'content': "Ensure that permission checks are properly enforced on asset preview and image editor endpoints, specifically requiring users to have 'viewAssets' permission on the asset's volume and 'viewPeerAssets' permission on peer volumes."}, {'type': 'paragraph', 'content': 'These steps prevent unauthorized users from accessing private asset metadata and mitigate the information disclosure vulnerability.'}] [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33161. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart