CVE Catalog

CVE-2026-56385

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

12th percentile — higher than 12% of all known CVEs

Summary

Craft CMS versions >= 5.0.0-RC1, <= 5.9.13 and >= 4.0.0-RC1, <= 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. This vulnerability allows low-privileged authenticated users to bypass view authorization for assets.

Risk Assessment

The organization may be exposed to the disclosure of private asset data, potentially leading to privacy breaches and data security issues.

Recommendation

It is recommended to upgrade to versions 5.9.14 or 4.17.8 to mitigate this security vulnerability.

Original NVD description (English source)

Craft CMS versions >= 5.0.0-RC1, <= 5.9.13 and >= 4.0.0-RC1, <= 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to supply a controlled assetId for an asset they are not permitted to view and still receive preview response data (previewHtml), including a private preview image route containing the target private assetId. Fixed in 5.9.14 and 4.17.8.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS