Feb 28, 2026·5 min read·18 visits
CVE-2025-68436 is a Mass Assignment vulnerability in Craft CMS versions 4.x and 5.x. It permits authenticated users to assign any asset ID as their profile photo. This can expose sensitive files (PDFs, backups, private images) by relocating them to public profile directories or granting the attacker view permissions. The fix involves explicitly excluding 'photoId' from safe attributes.
A logic vulnerability in Craft CMS allows authenticated users to associate arbitrary system assets with their user profile via a mass assignment flaw. By manipulating the 'photoId' parameter during a profile update, an attacker can link sensitive files—potentially restricted to administrators or other users—to their own account, leading to unauthorized access and potential file relocation to public directories.
Craft CMS, a flexible content management system built on the Yii2 framework, contains an Information Disclosure vulnerability rooted in improper input handling during user profile updates. The system leverages a 'Mass Assignment' pattern to populate model attributes from user requests. However, the User model failed to exclude the photoId attribute from the list of 'safe' attributes that can be modified directly by end-users.
This oversight exposes a significant attack surface: the asset management system. In Craft CMS, files (assets) are referenced by numeric IDs. Because the application did not validate whether the supplied photoId belonged to an asset the user was authorized to use—or if it was an appropriate image file—an attacker could bind arbitrary assets to their profile. This action forces the system to treat the target file as a profile photo, potentially moving it to a publicly accessible web directory or exposing its metadata through standard user profile APIs.
The vulnerability is a classic Mass Assignment (or Overposting) flaw, exacerbated by the asset handling logic in Craft CMS. The underlying Yii2 framework provides a mechanism to populate model properties massively from an input array (typically $_POST). Developers control which attributes are susceptible to this via the safeAttributes() method or validation rules.
In affected versions, the User element (which extends the base Element class) did not explicitly blacklist photoId from mass assignment. When a save-user action is triggered, the controller invokes code similar to $user->setAttributes($request->post()). Consequently, if a malicious payload includes photoId, the framework blindly updates the user's record to reference that ID.
Crucially, the side effects of changing a profile photo in Craft CMS include asset relocation. The CMS logic often attempts to consolidate user photos into a specific storage volume. If an attacker assigns a sensitive document (e.g., ID 500, representing a private contract PDF) as their photo, the system may move that file from a secure, internal volume to the public 'User Photos' volume, effectively bypassing all original access control lists (ACLs) applied to that asset.
The remediation involves restricting the photoId attribute so it cannot be set via mass assignment. The patch modifies src/elements/User.php to explicitly remove this attribute from the safe list.
Below is the comparison of the logic before and after the patch:
Vulnerable Code (Implicit Behavior):
Previously, safeAttributes() was not overridden in a way that excluded photoId, or it relied on parent behavior that permitted it. This allowed the controller to map $_POST['photoId'] directly to $user->photoId.
Patched Code (Explicit Exclusion):
In the patched version, the developers override safeAttributes to ensure photoId is stripped from the allowable input list. This forces any photo updates to go through dedicated, validated controller actions (like uploading a new file) rather than direct property assignment.
// src/elements/User.php
/**
* @inheritdoc
*/
public function safeAttributes(): array
{
// PATCH: Explicitly remove 'photoId' from the list of attributes
// that can be mass-assigned from request data.
// This prevents attackers from setting arbitrary asset IDs via POST.
return ArrayHelper::withoutValue(parent::safeAttributes(), 'photoId');
}By using ArrayHelper::withoutValue, the patch ensures that even if photoId is technically a valid property of the model, it is never considered 'safe' for bulk assignment from user input.
Exploiting this vulnerability requires a low-privileged authenticated session (e.g., a standard user account). The attack vector targets the save-user action used when users update their own profiles.
1. Reconnaissance: The attacker first attempts to enumerate Asset IDs. Since IDs are typically sequential integers, an attacker might guess IDs or leak them via other minor information disclosures (e.g., iterating through asset endpoints if available).
2. Payload Construction:
The attacker intercepts their own profile update request using a proxy (like Burp Suite) and appends the photoId parameter.
POST /index.php?p=admin/actions/users/save-user HTTP/1.1
Host: target-cms.com
Cookie: [Session Cookies]
Content-Type: application/x-www-form-urlencoded
userId=105&firstName=Attacker&photoId=423. Execution & Access:
If Asset ID 42 exists (e.g., a database backup file backup.sql uploaded by an admin), Craft CMS updates the attacker's user record. The system may then process this asset as an image. Even if image processing fails, the association persists. The attacker then visits their public profile or inspects the URL of their 'avatar' to retrieve the file path. If the system relocated the asset to a public volume, the file is now downloadable by anyone.
The impact of CVE-2025-68436 is primarily Confidentiality Loss. The severity depends heavily on the sensitivity of the assets stored within the CMS.
Data Exposure:
.env file stored as an asset).Metadata Leakage: Even if the file content cannot be rendered (e.g., a binary file treated as an image), the attacker gains knowledge of the file's existence, original filename, and size. This metadata can facilitate further attacks.
CVSS Context:
The vulnerability is rated Medium (6.5) because it requires authentication (PR:L). However, on systems with open registration, the barrier to entry is negligible. The attack complexity is Low (AC:L), and no user interaction (UI:N) is required from a victim.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N| Product | Affected Versions | Fixed Version |
|---|---|---|
Craft CMS Pixel & Tonic | >= 4.0.0-RC1, < 4.16.17 | 4.16.17 |
Craft CMS Pixel & Tonic | >= 5.0.0-RC1, < 5.8.21 | 5.8.21 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-200 (Info Disclosure) / CWE-915 (Mass Assignment) |
| CVSS v3.1 | 6.5 (Medium) |
| Attack Vector | Network (Authenticated) |
| Impact | High Confidentiality Loss |
| Exploit Status | PoC Available |
| EPSS Score | 0.0004 (Low Probability) |
Exposure of Sensitive Information to an Unauthorized Actor
A state persistence vulnerability exists in Tornado's CurlAsyncHTTPClient component where pooled pycurl.Curl handles are reused across asynchronous requests without a complete state reset. Consequently, sensitive per-request configurations, such as client TLS certificates or proxy basic authentication credentials, persist on the shared handle. This behavior leads to subsequent requests leaking these credentials to unauthorized remote servers.
CVE-2026-48748 is a denial-of-service vulnerability in Netty's HTTP/3 codec (netty-codec-http3) occurring when QPACK dynamic tables are enabled but the blocked streams limit is not explicitly configured. A bug in limit checking and a memory leak in stream tracking allow unauthenticated remote attackers to exhaust the JVM heap memory and crash the server.
CVE-2026-50009 is a cryptographic design vulnerability in the Netty network application framework. Prior to version 4.2.15.Final, the framework's QUIC protocol implementation fails to cryptographically segregate the generated Connection IDs and the associated Stateless Reset Tokens. An on-path network attacker who sniffs traffic during a Connection ID rotation can extract secret token material from cleartext headers, enabling them to inject spoofed reset packets and terminate active connections.
A critical hostname verification bypass vulnerability exists in the Netty network application framework when configured as a TLS client. When a developer registers a custom plain X509TrustManager, Netty wraps it inside an X509TrustManagerWrapper to adapt it to the X509ExtendedTrustManager API. However, this wrapper discards the SSLEngine context, bypassing critical hostname checks. Because the wrapper is identified as an X509ExtendedTrustManager, standard cryptographic engines and Netty's OpenSSL wrappers do not re-wrap it, failing to execute any hostname validation. Consequently, clients silently accept certificates for any host, enabling unauthenticated Man-in-the-Middle (MitM) attacks.
An uncontrolled resource pre-allocation flaw in the Netty Redis codec module allows remote unauthenticated attackers to cause a denial of service (OutOfMemoryError) by sending a crafted Redis Serialization Protocol (RESP) array header.
CVE-2026-50020 is a medium-severity HTTP Request Smuggling/Response Smuggling vulnerability (CWE-444) within the Netty asynchronous network application framework. The flaw resides in Netty's HTTP codec implementation, specifically the HttpObjectDecoder class, which silently consumes arbitrary ISO control bytes preceding the first request line.