Executive Summary

CVE-2026-56384 is a missing authorization vulnerability in Craft CMS affecting the assets/preview-thumb endpoint.

A Control Panel user who does not have permission to view a private asset can exploit this vulnerability by calling the endpoint with an attacker-controlled assetId.

Because the endpoint does not perform an asset-view permission check before generating a preview, the attacker can receive preview HTML containing a signed fallback transform preview link for the private asset.

This means unauthorized users can access preview links to private assets they should not be able to see.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of private asset previews in Craft CMS.

An attacker with Control Panel access but without proper asset-view permissions can obtain signed preview links to private assets.

This exposure increases the risk of sensitive or confidential information being accessed by unauthorized users, depending on how the system is deployed and if the preview links are further exploited.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized access to the assets/preview-thumb endpoint in Craft CMS, where a Control Panel user without proper permissions can retrieve preview HTML for private assets by supplying an attacker-controlled assetId.

To detect exploitation attempts on your system or network, you can monitor HTTP requests to the assets/preview-thumb endpoint, especially those made by users who should not have asset-view permissions.

Suggested commands include inspecting web server logs or using network monitoring tools to filter requests targeting the endpoint. For example, using grep on Apache or Nginx logs:

• grep 'assets/preview-thumb' /var/log/apache2/access.log
• grep 'assets/preview-thumb' /var/log/nginx/access.log

Additionally, you can use tools like tcpdump or Wireshark to capture and analyze HTTP traffic for suspicious requests to this endpoint.

Reviewing application logs for requests to assets/preview-thumb made by users lacking asset-view permissions can also help identify potential exploitation.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized Control Panel users to access preview HTML containing signed fallback transform preview links for private assets without proper permission checks.

Such unauthorized disclosure of sensitive asset previews could lead to exposure of private information, which may impact compliance with data protection regulations like GDPR and HIPAA that require strict access controls and protection of sensitive data.

The risk depends on the nature of the private assets and how the system is deployed, but the vulnerability increases the chance of unauthorized data exposure, potentially violating confidentiality requirements mandated by these standards.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Craft CMS to a fixed version where this vulnerability is patched: versions 4.17.8 or later, or 5.9.14 or later.

If immediate upgrade is not possible, restrict access to the assets/preview-thumb endpoint to only trusted users with proper asset-view permissions.

Implement strict access controls on the Control Panel users to ensure that only authorized users can access asset previews.

Monitor and audit usage of the assets/preview-thumb endpoint to detect and respond to unauthorized access attempts.

The underlying fix involves enforcing permission checks in the AssetsController.php, specifically requiring users to have viewAssets and viewPeerAssets permissions before preview generation.

Useful 0 Not Useful 0