CVE-2026-33160 Overview
CVE-2026-33160 is an Authorization Bypass vulnerability affecting Craft CMS, a popular content management system. The vulnerability exists in the assets/generate-transform endpoint, which allows unauthenticated users to access private asset transformations without proper authorization checks. An attacker can call this endpoint with a private assetId, receive a valid transform URL, and subsequently fetch transformed image bytes that should be protected.
Critical Impact
Unauthenticated attackers can access private assets by exploiting the anonymous assets/generate-transform endpoint, which fails to enforce per-asset authorization before returning transform URLs.
Affected Products
- Craft CMS versions 4.0.0-RC1 through 4.17.7
- Craft CMS versions 5.0.0-RC1 through 5.9.13
- All Craft CMS installations with asset transformation functionality enabled
Discovery Timeline
- 2026-03-24 - CVE-2026-33160 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33160
Vulnerability Analysis
This vulnerability represents a classic Insecure Direct Object Reference (IDOR) combined with Authorization Bypass (CWE-639: Authorization Bypass Through User-Controlled Key). The assets/generate-transform endpoint in Craft CMS processes asset transformation requests without validating whether the requesting user has permission to access the specified asset.
When an asset is marked as private in Craft CMS, it should only be accessible to authorized users. However, the vulnerable endpoint accepts any assetId parameter and generates a valid transformation URL regardless of the asset's access restrictions. This design flaw allows unauthenticated external users to enumerate asset IDs and retrieve transformed versions of private images.
The vulnerability is network-accessible and requires no authentication or user interaction to exploit, though the impact is limited to confidentiality of private assets rather than system integrity or availability.
Root Cause
The root cause is a missing authorization check in the assets/generate-transform endpoint handler. The endpoint processes transformation requests and returns URLs without verifying that the requesting user has read permissions for the specified asset. This represents a failure to implement proper access control at the endpoint level, allowing the assetId user-controlled parameter to bypass asset-level permissions.
Attack Vector
The attack is executed over the network against the Craft CMS web application. An attacker can directly call the assets/generate-transform endpoint with arbitrary asset IDs to test for the existence of private assets and retrieve their transformed versions.
The exploitation flow involves:
- The attacker identifies a target Craft CMS installation
- The attacker sends requests to assets/generate-transform with enumerated or guessed assetId values
- For valid private assets, the endpoint returns a transform URL
- The attacker uses the returned URL to fetch the transformed image data
- Private asset content is disclosed to the unauthorized attacker
Detection Methods for CVE-2026-33160
Indicators of Compromise
- Unusual volume of requests to the assets/generate-transform endpoint from external IP addresses
- Sequential or pattern-based assetId values in request logs suggesting enumeration attempts
- Access to asset transform URLs from unauthenticated sessions
- High request rates to asset-related endpoints from single source IPs
Detection Strategies
- Monitor web server access logs for repeated requests to /actions/assets/generate-transform from unauthenticated users
- Implement rate limiting and alerting on the asset transformation endpoint
- Review application logs for asset access patterns that indicate enumeration activity
- Deploy web application firewall rules to detect and block IDOR attack patterns
Monitoring Recommendations
- Enable detailed logging for all asset-related endpoints including request parameters
- Configure alerts for anomalous asset access patterns, particularly for private assets
- Monitor for failed authentication attempts followed by direct asset endpoint access
- Track asset transformation requests correlated with session authentication status
How to Mitigate CVE-2026-33160
Immediate Actions Required
- Upgrade Craft CMS to version 4.17.8 or 5.9.14 immediately
- Audit access logs to identify potential exploitation of this vulnerability
- Review any private assets that may have been exposed prior to patching
- Consider temporarily restricting access to the assets/generate-transform endpoint if immediate patching is not possible
Patch Information
Craft CMS has released security patches addressing this vulnerability. The fix implements proper per-asset authorization checks before returning transform URLs. Patched versions are available:
- Craft CMS 4.x: Upgrade to version 4.17.8 or later - CraftCMS Release 4.17.8
- Craft CMS 5.x: Upgrade to version 5.9.14 or later - CraftCMS Release 5.9.14
The specific commit addressing this issue can be reviewed at GitHub Commit 7290d91639e. Additional details are available in the GitHub Security Advisory GHSA-5pgf-h923-m958.
Workarounds
- Implement network-level access controls to restrict access to the assets/generate-transform endpoint to authenticated users only
- Use a reverse proxy or WAF to require authentication before allowing requests to asset transformation endpoints
- Temporarily disable the asset transformation feature if it is not critical to operations
- Move sensitive private assets to external storage with separate authentication mechanisms
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
