CVE-2026-56384
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview link for that private asset.
Risk Assessment
The lack of proper permission checks may lead to unauthorized access to private assets, posing a risk of sensitive information leakage.
Recommendation
It is recommended to upgrade to version 4.17.8 or 5.9.14 to mitigate this security vulnerability.
Original NVD description (English source)
Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview link for that private asset, because no asset-view permission check is performed before preview generation. This affects versions >= 4.0.0-RC1, <= 4.17.7 and >= 5.0.0-RC1, <= 5.9.13, and is fixed in 4.17.8 and 5.9.14.

