CVE-2026-33161

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 through 4.17.7 Craft CMS versions 5.0.0-RC1 through 5.9.13

Description A low-privileged authenticated user can access editor response data, including focalPoint, for private assets they are not authorized to view. The /assets/image-editor API endpoint returns private editing metadata without proper authorization checks. The issue stems from the actionImageEditor() function accepting an assetId without validating the user's access rights to the corresponding asset before returning data such as html and focalPoint.

Recommendations Update to Craft CMS version 4.17.8 or later. Update to Craft CMS version 5.9.14 or later.

Exploit

Fix

Missing Authorization

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-200

Related Identifiers

CVE-2026-33161

GHSA-VGJG-248P-RFM2

Affected Products

Craft Cms

CVE-2026-33161

Weakness Enumeration

Related Identifiers

Affected Products

References · 9