CVE-2026-33161

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 through 4.17.7 Craft CMS versions 5.0.0-RC1 through 5.9.13

Description A low-privileged authenticated user can access editor response data, including focalPoint, for private assets they are not authorized to view. The /assets/image-editor API endpoint returns private editing metadata without proper authorization checks. The issue stems from the actionImageEditor() function accepting an assetId without validating the user's access rights to the corresponding asset before returning data such as html and focalPoint.

Recommendations Update to Craft CMS version 4.17.8 or later. Update to Craft CMS version 5.9.14 or later.