CVE-2026-33161 Overview
CVE-2026-33161 is an information disclosure vulnerability in Craft CMS, a popular content management system. The vulnerability allows low-privileged authenticated users to access private asset metadata through the assets/image-editor endpoint without proper authorization validation. From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an attacker can call the image editor endpoint with the ID of a private asset they cannot view and still receive editor response data, including sensitive metadata like focalPoint information.
Critical Impact
Low-privileged authenticated users can enumerate and access private asset editing metadata, potentially exposing sensitive information about assets they should not have access to.
Affected Products
- Craft CMS versions 4.0.0-RC1 through 4.17.7
- Craft CMS versions 5.0.0-RC1 through 5.9.13
- All Craft CMS installations with authenticated users having low-privilege access
Discovery Timeline
- March 24, 2026 - CVE-2026-33161 published to NVD
- March 26, 2026 - Last updated in NVD database
Technical Details for CVE-2026-33161
Vulnerability Analysis
This vulnerability represents a broken access control flaw (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) in the Craft CMS asset management functionality. The assets/image-editor endpoint fails to perform per-asset authorization validation before returning editing metadata to authenticated users.
When a user requests the image editor data for an asset, the application verifies that the user is authenticated but does not verify whether the user has permission to access that specific asset. This allows any authenticated user, regardless of their permission level, to obtain metadata about private assets simply by knowing or guessing the asset ID.
The vulnerability is network-accessible and requires low privileges (basic authentication). While the confidentiality impact is limited to metadata exposure rather than the full asset content, this information leakage could facilitate further attacks or reveal sensitive information about private files.
Root Cause
The root cause of this vulnerability is missing authorization checks at the asset-level within the assets/image-editor controller action. The endpoint authenticates the user but fails to validate whether the authenticated user has view permissions for the specific asset being requested. This oversight allows the endpoint to return private editing metadata without proper per-asset authorization validation.
Attack Vector
The attack can be executed by any authenticated user through the following sequence:
- Attacker authenticates to the Craft CMS application with minimal privileges
- Attacker identifies or enumerates asset IDs (potentially through other information disclosure vectors or sequential guessing)
- Attacker sends requests to the assets/image-editor endpoint with target asset IDs
- The server returns editor metadata including focal point data for private assets the attacker should not be able to access
The vulnerability is exploitable over the network with low attack complexity. No user interaction is required beyond the attacker's own actions. The technical details of exploitation involve making authenticated HTTP requests to the vulnerable endpoint while manipulating the asset ID parameter. For specific request formats and parameters, refer to the GitHub Security Advisory GHSA-vgjg-248p-rfm2.
Detection Methods for CVE-2026-33161
Indicators of Compromise
- Unusual access patterns to the assets/image-editor endpoint from low-privileged user accounts
- Sequential or bulk requests to the image editor endpoint with varying asset IDs
- Access logs showing requests for asset IDs that belong to restricted sections or private volumes
Detection Strategies
- Monitor web application logs for repeated requests to /actions/assets/image-editor with different asset ID parameters
- Implement alerting for authenticated users accessing asset metadata outside their permission scope
- Review access logs for patterns indicating asset ID enumeration attempts
Monitoring Recommendations
- Enable detailed access logging for Craft CMS administrative endpoints
- Configure web application firewall (WAF) rules to detect and alert on unusual asset endpoint access patterns
- Implement rate limiting on the assets/image-editor endpoint to slow enumeration attempts
How to Mitigate CVE-2026-33161
Immediate Actions Required
- Upgrade Craft CMS version 4.x installations to version 4.17.8 or later immediately
- Upgrade Craft CMS version 5.x installations to version 5.9.14 or later immediately
- Review access logs for any suspicious activity targeting the assets/image-editor endpoint
- Audit user accounts and privileges to ensure principle of least privilege is applied
Patch Information
Craft CMS has released patched versions that address this authorization bypass vulnerability. The fix adds proper per-asset authorization validation to the image editor endpoint before returning metadata.
- Version 4.17.8: GitHub Release 4.17.8
- Version 5.9.14: GitHub Release 5.9.14
- Commit Reference: GitHub Commit d30df31
Workarounds
- Restrict access to the Craft CMS control panel to trusted networks only using firewall rules or VPN requirements
- Implement additional authentication layers (such as multi-factor authentication) for all CMS users
- Consider temporarily disabling or restricting the image editor functionality until patches can be applied
# Example: Restrict access to Craft CMS admin panel via nginx
location /admin {
allow 10.0.0.0/8; # Internal network
allow 192.168.0.0/16; # Trusted network
deny all; # Block all other access
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
