Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68436

CVE-2025-68436: Craft CMS Information Disclosure Flaw

CVE-2025-68436 is an information disclosure vulnerability in Craft CMS that allows authenticated users to expose sensitive assets via profile photos. This article covers the technical details, affected versions, and patches.

Updated:

CVE-2025-68436 Overview

CVE-2025-68436 is an Information Exposure vulnerability affecting Craft CMS, a popular platform for creating digital experiences. Authenticated users on vulnerable Craft CMS installations can potentially expose sensitive assets through their user profile photo functionality via maliciously crafted requests. This vulnerability affects the photoId attribute handling in the User element class.

Critical Impact

Authenticated attackers can leverage malicious requests to access sensitive assets that should be protected, potentially exposing confidential files and data stored on the Craft CMS installation.

Affected Products

  • Craft CMS versions 5.0.0-RC1 through 5.8.20
  • Craft CMS versions 4.0.0-RC1 through 4.16.16

Discovery Timeline

  • 2026-01-05 - CVE CVE-2025-68436 published to NVD
  • 2026-01-08 - Last updated in NVD database

Technical Details for CVE-2025-68436

Vulnerability Analysis

This vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw exists in how Craft CMS handles the photoId attribute within the User element class. Authenticated users can craft malicious requests that manipulate the profile photo functionality to access sensitive assets that would normally be restricted.

The vulnerability is exploitable over the network and requires low privileges (an authenticated user account). No user interaction is required for exploitation. The primary impact is on confidentiality, as attackers can potentially access sensitive files and assets stored within the CMS.

Root Cause

The root cause of this vulnerability lies in the improper handling of the photoId attribute in the User.php element class. Prior to the patch, the photoId attribute was included in the list of safe attributes, allowing authenticated users to manipulate this value through mass assignment. This could be exploited to reference and expose arbitrary assets by associating them with a user's profile photo.

Attack Vector

The attack vector is network-based and requires an authenticated user session. An attacker with valid credentials to a Craft CMS installation can craft malicious requests that manipulate the photoId parameter. By setting this parameter to reference sensitive asset IDs, the attacker can potentially access and expose files that should be protected by the CMS access controls.

The following patch was applied to address this vulnerability by removing photoId from the safe attributes list:

php
    /**
     * @inheritdoc
     */
    public function safeAttributes(): array
    {
        return ArrayHelper::withoutValue(parent::safeAttributes(), 'photoId');
    }

Source: GitHub Commit

This fix ensures that photoId cannot be set through mass assignment, preventing attackers from manipulating user profile photos to reference sensitive assets.

Detection Methods for CVE-2025-68436

Indicators of Compromise

  • Unusual requests to user profile endpoints containing unexpected photoId parameter values
  • Access logs showing authenticated users attempting to reference asset IDs they shouldn't have access to
  • Anomalous patterns of user profile updates targeting the photo functionality

Detection Strategies

  • Monitor HTTP request logs for suspicious manipulation of photoId parameters in user profile requests
  • Implement application-layer logging to track changes to user profile photos and associated asset IDs
  • Review access logs for users attempting to access assets outside their permission scope

Monitoring Recommendations

  • Enable detailed audit logging for user profile modifications in Craft CMS
  • Configure alerts for unusual patterns of asset access following user profile updates
  • Implement file integrity monitoring on sensitive asset directories

How to Mitigate CVE-2025-68436

Immediate Actions Required

  • Update Craft CMS 5.x installations to version 5.8.21 or later
  • Update Craft CMS 4.x installations to version 4.16.17 or later
  • Review user activity logs for any suspicious profile photo manipulation attempts
  • Audit sensitive assets to ensure no unauthorized access has occurred

Patch Information

Craft CMS has released patched versions that address this vulnerability. The fix removes photoId from the list of safe attributes in the User element class, preventing mass assignment of this value. Users should update to the following versions:

  • Craft CMS 5.x: Update to version 5.8.21 or later
  • Craft CMS 4.x: Update to version 4.16.17 or later

For detailed patch information, refer to the GitHub Security Advisory and the commit fix.

Workarounds

  • Restrict access to sensitive assets using filesystem-level permissions as an additional layer of defense
  • Implement additional access control rules at the web server level for sensitive asset directories
  • Consider limiting user profile photo upload capabilities to trusted users until patching is complete
bash
# Update Craft CMS using Composer
composer update craftcms/cms

# Verify the installed version
./craft version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.