CVE-2026-56384

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 through 4.17.7 Craft CMS versions 5.0.0-RC1 through 5.9.13

Description A missing authorization issue exists in the 'assets/preview-thumb' endpoint. A Control Panel user lacking permissions to view a specific private asset can provide a controlled assetId to the endpoint. This allows the user to receive preview HTML containing a signed fallback transform preview link for that private asset, as the system fails to perform an asset-view permission check before generating the preview.

Recommendations Update to version 4.17.8 for versions in the 4.x branch. Update to version 5.9.14 for versions in the 5.x branch.