GHSA-x76w-8c62-48mgMediumDisclosed before NVD

Craft CMS: Authenticated "assets/preview-thumb" discloses signed fallback transform preview link to CP users without asset-view permission

Published
July 6, 2026
Last Modified
July 6, 2026

📋 Description

Summary

A user with Control Panel access but without permission to view a target private asset can call assets/preview-thumb and receive preview HTML that contains a signed fallback transform link for that private asset.

Details

Root-cause analysis:

  1. The endpoint accepts an attacker-controlled assetId.
  2. Asset is resolved, and thumbnail HTML is returned.
  3. No explicit asset-view permission check is performed before preview generation.

Impact

Type:

  1. Missing authorization
  2. Unauthorized preview-link disclosure

Affected deployments:

  1. Craft sites with control panel users who have partial permissions and private assets.

Security consequence:

  1. A control panel user without asset-view permission can still obtain signed preview transform link data for private assets.
  2. This may increase private asset exposure risk depending on deployment and endpoint chaining.

Resources

https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27

🎯 Affected products2

  • composer/craftcms/cms:>= 4.0.0-RC1, <= 4.17.7
  • composer/craftcms/cms:>= 5.0.0-RC1, <= 5.9.13

🔗 References (3)