CVE-2026-33160

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 through 4.17.7 Craft CMS versions 5.0.0-RC1 through 5.9.13

Description Craft CMS has an issue where an unauthenticated user can access transformed image bytes from private assets. This occurs by calling the /assets/generate-transform API endpoint with a private assetId. The endpoint does not verify access rights before providing a transform URL, allowing unauthorized access to content derived from private assets.

Recommendations Update Craft CMS to version 4.17.8 or later. Update Craft CMS to version 5.9.14 or later.

Exploit

Fix

Missing Authorization

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-639

Related Identifiers

CVE-2026-33160

GHSA-5PGF-H923-M958

Affected Products

Craft Cms

CVE-2026-33160

Weakness Enumeration

Related Identifiers

Affected Products

References · 10