CVE-2026-33158 Overview
CVE-2026-33158 is an Insecure Direct Object Reference (IDOR) vulnerability in Craft CMS, a popular content management system. This vulnerability allows low-privileged authenticated users to access private asset content by exploiting insufficient authorization checks in the assets/edit-image endpoint. By supplying an arbitrary assetId parameter, attackers can bypass access controls and retrieve image bytes or preview redirects for assets they are not authorized to view, potentially leading to unauthorized disclosure of sensitive private files.
Critical Impact
Authenticated attackers can access and download private assets belonging to other users or restricted areas, leading to potential exposure of confidential images, documents, and sensitive business data stored in the CMS.
Affected Products
- Craft CMS versions 4.0.0-RC1 through 4.17.7
- Craft CMS versions 5.0.0-RC1 through 5.9.13
- All installations with authenticated user accounts and private assets
Discovery Timeline
- 2026-03-24 - CVE-2026-33158 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33158
Vulnerability Analysis
This vulnerability is classified as CWE-639: Authorization Bypass Through User-Controlled Key, commonly known as an Insecure Direct Object Reference (IDOR). The flaw exists in Craft CMS's asset management functionality, specifically within the assets/edit-image endpoint responsible for serving image content and previews.
When an authenticated user makes a request to the assets/edit-image endpoint, the application accepts an assetId parameter that directly references assets stored in the system. However, the endpoint fails to perform adequate per-asset authorization checks before returning the requested content. This means any authenticated user, regardless of their permission level, can request and receive image bytes or preview redirects for any asset in the system simply by iterating through or guessing valid asset IDs.
The vulnerability is particularly concerning in multi-tenant environments or organizations that rely on Craft CMS's permission model to segregate private content between different user groups or projects.
Root Cause
The root cause of this vulnerability is missing per-asset view authorization validation in the assets/edit-image endpoint. While the endpoint requires authentication to access, it does not verify whether the authenticated user has specific read permissions for the requested asset before returning its content. The authorization check was performed at the endpoint level but not at the individual asset resource level, violating the principle of least privilege.
Attack Vector
An attacker with any valid authenticated session in Craft CMS can exploit this vulnerability through the following approach:
The attack is network-based and requires low privileges (any authenticated account). The attacker sends HTTP requests to the assets/edit-image endpoint with different assetId values to enumerate and retrieve private assets. Since asset IDs are typically sequential integers, an attacker can systematically iterate through potential IDs to discover and download private content they should not have access to.
The vulnerability does not require user interaction and can be automated to bulk-download private assets from the affected CMS installation.
Detection Methods for CVE-2026-33158
Indicators of Compromise
- Unusual volume of requests to the assets/edit-image endpoint from a single user session
- Access logs showing sequential or pattern-based assetId requests from authenticated users
- Users accessing assets outside their assigned permission scope as revealed in audit logs
Detection Strategies
- Monitor web server access logs for high-frequency requests to /actions/assets/edit-image with varying assetId parameters
- Implement anomaly detection for authenticated users requesting assets they haven't previously accessed
- Review Craft CMS audit logs for patterns of asset access that cross permission boundaries
Monitoring Recommendations
- Enable detailed request logging on the Craft CMS application server
- Set up alerts for enumeration patterns such as sequential ID access within short time windows
- Conduct periodic access reviews to identify any unauthorized asset access
How to Mitigate CVE-2026-33158
Immediate Actions Required
- Upgrade Craft CMS 4.x installations to version 4.17.8 or later immediately
- Upgrade Craft CMS 5.x installations to version 5.9.14 or later immediately
- Review access logs for signs of exploitation before the patch is applied
- Audit any sensitive assets that may have been exposed
Patch Information
Craft CMS has released security patches that address this vulnerability by implementing proper per-asset authorization checks in the assets/edit-image endpoint. The fixes are available in:
- Craft CMS 4.17.8 for the 4.x branch
- Craft CMS 5.9.14 for the 5.x branch
The security fix is documented in GitHub commit 7290d91639e5e3a4f7e221dfbef95c9b77331860. For full details, refer to the GitHub Security Advisory GHSA-3pvf-vxrv-hh9c.
Workarounds
- Restrict access to the Craft CMS control panel to trusted IP addresses using firewall rules or web server configuration
- Implement a Web Application Firewall (WAF) rule to rate-limit requests to the assets/edit-image endpoint
- Temporarily disable low-privileged user accounts until the patch can be applied
# Example nginx configuration to restrict control panel access by IP
location /admin {
allow 192.168.1.0/24; # Trusted internal network
allow 10.0.0.50; # Admin workstation
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
