CVE-2026-33160: Unauthenticated Information Disclosure via Authorization Bypass in Craft CMS

Craft CMS contains a moderate-severity information disclosure vulnerability within its asset management subsystem. The vulnerability resides specifically in the AssetsController component, which handles dynamic image transformations. This component exposes an endpoint that processes user-supplied parameters to generate derived works from original media files.

The core issue is a missing authorization check (CWE-862) that leads to an insecure direct object reference (CWE-639). When a user requests an image transformation via the assets/generate-transform endpoint, the application fails to verify if the requester holds the requisite "View" permissions for the target asset. This failure allows unauthenticated, anonymous users to supply arbitrary asset identifiers and successfully trigger the transformation process.

While the base severity score is evaluated as Low (CVSS 2.7), the vulnerability introduces a direct breach of confidentiality for systems relying on Craft CMS to secure private media. The exposure is limited to transformed derivatives rather than the full-resolution source files, but this distinction is often negligible when the visual content itself is the sensitive material.

The actionGenerateTransform method in src/controllers/AssetsController.php processes requests to dynamically resize, crop, or alter images. The application relies on an assetId to locate the source file and a handle to determine the specific transformation parameters. These values are extracted directly from the incoming POST request body.

Prior to the patch, the execution flow within this method contained a critical oversight in its primary request handling branch. The code successfully retrieved the POST parameters and instantiated the transformation process, but it completely omitted any contextual permission checks. The system blindly trusted the presence of a valid assetId without correlating it to the current user's session or authorization state.

This logical disconnect creates a state where private assets residing in restricted, non-web-accessible volumes are temporarily exposed. The transformation subsystem generates the derivative file and places it into a public cache or serves it via a cryptographically signed URL. By successfully invoking the transformation process, the attacker bridges the gap between a secure storage volume and public accessibility.

The vulnerability is localized to a specific conditional branch within the AssetsController. When processing standard transform generation requests, the controller drops into an else block to parse the assetId and handle parameters. In the vulnerable implementation, this block immediately accesses the request parameters without invoking the system's permission enforcement mechanisms.

@@ -1142,6 +1142,7 @@ public function actionGenerateTransform(?int $transformId = null): Response
                 throw new ServerErrorHttpException('Image transform cannot be created.', previous: $e);
             }
         } else {
+            $this->requirePermission('accessCp'); 
             $assetId = $this->request->getRequiredBodyParam('assetId');
             $handle = $this->request->getRequiredBodyParam('handle');

The remediation introduces a mandatory $this->requirePermission('accessCp') invocation directly at the start of the execution block. This single line of code fundamentally alters the endpoint's accessibility profile. The controller now abruptly terminates the request and returns an HTTP 403 Forbidden response if the caller lacks Control Panel access privileges.

Furthermore, the patch implements defense-in-depth measures across the broader controller. The developers identified related endpoints, such as actionPreviewThumb and actionEditImage, and enforced volume-level permission checks using requireVolumePermissionByAsset. This comprehensive approach ensures that variant attack paths targeting different asset manipulation routines are simultaneously mitigated.

Exploitation requires minimal prerequisites. An attacker only requires network access to the target Craft CMS deployment and knowledge of standard transformation handles. The target system must have an accessible assets/generate-transform route, which is available by default in vulnerable configurations. No authentication or specialized network positioning is necessary.

The attack begins with the enumeration of valid asset identifiers. Because assetId values in Craft CMS are typically assigned as sequential integers, an attacker can iterate through a numerical range. The attacker issues a POST request containing a guessed assetId and a common transform handle, such as a standard thumbnail specification.

Upon receiving the request, the vulnerable controller processes the image and responds with a JSON payload containing a signed URL for the newly generated asset. The attacker completes the exploitation sequence by issuing a GET request to this signed URL, thereby retrieving the image bytes. This process bypasses all volume-level restrictions that natively protect the source file.

The primary security consequence of CVE-2026-33160 is unauthorized information disclosure. Attackers gain read access to the visual contents of arbitrary private assets managed by the CMS. This exposure directly violates the confidentiality guarantees provided by private storage volumes in Craft CMS.

The technical impact is restricted strictly to transformed derivatives. Attackers cannot extract the original, unaltered source files, nor can they retrieve associated metadata stored within the database. The transformation process frequently involves downscaling or compression, meaning the disclosed files may lack the fidelity of the source material.

Despite this limitation, the contextual impact can be substantial depending on the target environment. Installations utilizing Craft CMS to manage embargoed product imagery, confidential medical documents, or private user uploads are at significant risk. The disclosure of a high-resolution thumbnail is often sufficient to compromise the sensitive information contained within the original asset.

The definitive mitigation strategy is to upgrade the Craft CMS installation to a patched version. Administrators running the 4.x release line must update to version 4.17.8 or later. Deployments operating on the 5.x release line require an update to version 5.9.14 or later. These releases contain the necessary code changes to enforce proper authorization constraints on the AssetsController.

Organizations should review their user group configurations to verify the principle of least privilege. The patched implementation specifically requires the accessCp permission to interact with the transform generation endpoint. Administrators must ensure that this permission is exclusively granted to trusted personnel who require access to the Control Panel.

In environments where immediate patching is strictly prohibited by operational constraints, network-level mitigations can be temporarily applied. Web Application Firewall (WAF) rules can be configured to block external, unauthenticated POST requests targeting the /assets/generate-transform URI. This temporary measure prevents exploitation from anonymous actors while allowing internal administrators to utilize the functionality.