Executive Summary

CVE-2026-56394 is an authenticated path traversal vulnerability in Craft CMS affecting versions 4.0.0-RC1 to 4.17.6 and 5.0.0-RC1 to 5.9.12. The flaw exists in the assets/icon endpoint where the extension parameter is not properly validated before checking if a file exists.

Attackers with valid credentials can exploit this vulnerability by using path traversal sequences to bypass the extension validation. This allows them to access local SVG files on the server that the application process can read.

The vulnerability is tracked under CWE-22 and has a CVSS v4 score of 7.1, indicating a medium severity. It was fixed by adding input validation to ensure the extension parameter only contains valid characters, preventing traversal attacks.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows authenticated users to read local SVG files on the server by bypassing extension validation through path traversal sequences.

The impact is that sensitive or confidential files accessible to the application process could be exposed to attackers with valid credentials, potentially leading to information disclosure.

Since the vulnerability requires authentication, the risk is limited to users who already have some level of access, but it still poses a significant threat to data confidentiality.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves an authenticated path traversal in the assets/icon endpoint of Craft CMS, where the extension parameter is not properly validated. Detection would require monitoring or testing authenticated requests to this endpoint for path traversal sequences that bypass extension validation.

Since the vulnerability allows reading local SVG files by exploiting traversal sequences in the extension parameter, detection can involve sending crafted authenticated HTTP requests to the assets/icon endpoint with traversal payloads and observing if local files are returned.

Example command using curl to test the vulnerability (replace placeholders accordingly):

• curl -i -b "session=YOUR_AUTH_COOKIE" "https://your-craftcms-site.com/assets/icon?extension=../../../../etc/passwd%00.svg"

If the response contains contents of local files (like /etc/passwd or other SVG files), it indicates the vulnerability is present.

Additionally, reviewing server logs for unusual requests to the assets/icon endpoint with suspicious extension parameters containing traversal sequences can help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Craft CMS to a patched version where the vulnerability is fixed.

• Upgrade Craft CMS to version 4.17.7 or later if using the 4.x branch, or to version 5.9.13 or later if using the 5.x branch.

The patch adds proper input validation on the extension parameter in the assets/icon endpoint, preventing path traversal attacks by ensuring only valid word characters are accepted.

Until the upgrade can be applied, restrict access to the assets/icon endpoint to trusted authenticated users only, and monitor for suspicious requests containing traversal sequences.

Consider implementing web application firewall (WAF) rules to block requests with suspicious path traversal patterns in the extension parameter.

Useful 0 Not Useful 0