PT-2026-30518 · Packagist · Craftcms/Cms

Published

2026-03-26

·

Updated

2026-03-26

CVSS v4.0

1.3

Low

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

Summary

An authenticated low-privileged user can call assets/preview-file for an asset they are not authorized to view and still receive preview response data (previewHtml) for that private asset.
The returned preview HTML included a private preview image route containing the target private assetId, even though canView was false for the attacker account.

Details

  1. assets/preview-file accepts a maliciously controlled assetId and renders preview output.
  2. The action does not enforce per-asset view authorization prior to returning preview content.
  3. As a result, an authenticated user without asset-view permission can still obtain private preview output.
This affects Craft installations with authenticated users of mixed privilege levels with private assets.

Resources

  • d30df3112220db1ffd6726a3ed11857014c7fb27
  • b1cddf72c98a

Fix

Information Disclosure

IDOR

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-639CWE-862

Related Identifiers

GHSA-44PX-QJJC-XRHQ

Affected Products

Craftcms/Cms