Face/Off: Hijacking Sensitive Assets via Profile Photos in Craft CMS
Jan 5, 2026·5 min read·11 visits
Executive Summary (TL;DR)
By exploiting a Mass Assignment flaw in the user profile update logic, an attacker can manipulate the `photoId` parameter. This tricks Craft CMS into believing a restricted file (like a database backup) is the user's new avatar. The system then 'relocates' this sensitive asset into the public-facing profile directory, effectively granting the attacker full read access to files they should never see.
A critical Insecure Direct Object Reference (IDOR) vulnerability combined with Mass Assignment in Craft CMS allows authenticated users to misappropriate any system asset—including private backups and configuration files—by setting it as their profile photo.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Craft CMS Pixel & Tonic | < 4.16.17 | 4.16.17 |
Craft CMS Pixel & Tonic | < 5.8.21 | 5.8.21 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-915 (Mass Assignment) |
| Secondary CWE | CWE-639 (Insecure Direct Object Reference) |
| Attack Vector | Network (HTTP POST) |
| CVSS v3.1 | 7.5 (High) |
| Exploit Status | Functional PoC Available |
| Privileges Required | Low (Authenticated User) |
MITRE ATT&CK Mapping
The application allows a client to supply multiple attributes in an input, but fails to verify that the attributes are valid for assignment, allowing attackers to modify sensitive data fields.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.