CVE-2026-33158

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 through 4.17.7 Craft CMS versions 5.0.0-RC1 through 5.9.13

Description A low-privileged authenticated user can access private asset content by calling the /assets/edit-image API endpoint with an arbitrary assetId without proper authorization checks. The endpoint returns image bytes or a preview redirect, potentially disclosing private files. The issue stems from a lack of verification that the current user is authorized to view the requested asset.

Recommendations Update Craft CMS to version 4.17.8 or later. Update Craft CMS to version 5.9.14 or later.