GHSA-xj2c-g5xp-4p47MediumCVSS 4.3
Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A...
🔗 CVE IDs covered (1)
📋 Description
Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview link for that private asset, because no asset-view permission check is performed before preview generation. This affects versions >= 4.0.0-RC1, <= 4.17.7 and >= 5.0.0-RC1, <= 5.9.13, and is fixed in 4.17.8 and 5.9.14.
🔗 References (5)
- https://github.com/craftcms/cms/security/advisories/GHSA-x76w-8c62-48mg
- https://nvd.nist.gov/vuln/detail/CVE-2026-56384
- https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27
- https://www.vulncheck.com/advisories/craft-cms-missing-authorization-in-assets-preview-thumb-endpoint
- https://github.com/advisories/GHSA-xj2c-g5xp-4p47