Jul 6, 2026·6 min read·3 visits
Low-privileged Control Panel users can retrieve signed preview links for restricted assets due to missing authorization checks in the preview-thumb endpoint.
An improper authorization vulnerability in Craft CMS allows authenticated Control Panel users to bypass volume view permissions and access signed fallback transform preview links for private assets via the assets/preview-thumb action.
Craft CMS incorporates an asset management system designed to regulate access to files hosted across various storage volumes. Administrators frequently configure private volumes to ensure that sensitive files, such as financial records or proprietary assets, are restricted to authorized user groups. This access control framework is intended to validate permissions dynamically before serving files or related metadata to Control Panel users.
An improper authorization vulnerability exists within the Control Panel's asset preview mechanism, specifically inside the file preview endpoint. This vulnerability allows an authenticated Control Panel user with minimal permissions to bypass volume-level access controls. By interacting with a specific API endpoint, the user can obtain access to signed fallback transform links associated with any private asset.
The core of the security boundary failure lies in the difference between accessing the physical asset and requesting its generated preview. While direct asset retrieval is protected by authorization checks, the preview generation logic failed to execute comparable verification. Consequently, the application exposes preview representations of private assets to any authenticated user who can supply the target asset identifier.
The vulnerability originates in the actionPreviewFile method located within the src/controllers/AssetsController.php file of Craft CMS. This controller action handles user requests to generate visual previews of assets in the Control Panel. When a request is received, the method retrieves the corresponding asset from the database using the user-provided asset identifier.
After retrieving the asset, the controller initializes the appropriate asset preview handler and invokes its getPreviewHtml method to render the HTML structure. This HTML includes a signed URL that points to a temporary fallback transform representing the asset thumbnail. The generation of this signed URL acts as a cryptographic authorization bypass, allowing the recipient to access the thumbnail directly.
The critical defect is the complete absence of permission checks within this execution path. The controller assumed that any user capable of reaching the endpoint was authorized to view the asset metadata and its preview. Consequently, the application does not evaluate whether the active session possesses the viewAssets or viewPeerAssets permission for the specific volume housing the target asset.
To understand the technical mechanics of this defect, analyze the vulnerable code path in src/controllers/AssetsController.php. The controller action receives an HTTP POST request and retrieves the assetId parameter directly from the request body.
// Vulnerable implementation in AssetsController.php
public function actionPreviewFile(): Response
{
$assetId = $this->request->getRequiredBodyParam('assetId');
$asset = Craft::$app->getAssets()->getAssetById($assetId);
if (!$asset) {
return $this->asFailure(Craft::t('app', 'Asset not found with that id'));
}
// Missing authorization checks for the volume and asset
$previewHtml = null;
$previewHandler = Craft::$app->getAssets()->getAssetPreviewHandler($asset);
$previewHtml = $previewHandler->getPreviewHtml();
return $this->asJson([
'previewHtml' => $previewHtml
]);
}The patch addresses this defect by inserting explicit volume and peer-volume authorization checks immediately after retrieving the asset. The modified controller action utilizes the internal security helpers to enforce authorization prior to executing the preview handler.
// Patched implementation in AssetsController.php
public function actionPreviewFile(): Response
{
$assetId = $this->request->getRequiredBodyParam('assetId');
$asset = Craft::$app->getAssets()->getAssetById($assetId);
if (!$asset) {
return $this->asFailure(Craft::t('app', 'Asset not found with that id'));
}
// Added permission validation
$this->requireVolumePermissionByAsset('viewAssets', $asset);
$this->requirePeerVolumePermissionByAsset('viewPeerAssets', $asset);
$previewHtml = null;
$previewHandler = Craft::$app->getAssets()->getAssetPreviewHandler($asset);
$previewHtml = $previewHandler->getPreviewHtml();
return $this->asJson([
'previewHtml' => $previewHtml
]);
}This remediation successfully prevents further execution if the active user session lacks the required volume permissions. The requireVolumePermissionByAsset and requirePeerVolumePermissionByAsset methods throw an UnauthorizedHttpException if the security check fails, resulting in an HTTP 403 Forbidden response. This fix is complete and covers the specific exposure vector within this controller action.
An attacker must establish an authenticated session in the Craft CMS Control Panel to exploit this vulnerability. The required privilege level is low, demanding only basic access to the Control Panel interface. The attacker does not need administrative privileges or permissions to access the target asset volume.
Upon gaining authenticated access, the attacker must determine the target asset identifier. Since asset IDs are sequential integers, the attacker can systematically brute-force or enumerate identifiers to target specific documents. Once a valid target identifier is chosen, the attacker transmits a crafted HTTP POST request to the assets/preview-thumb endpoint.
POST /index.php?p=admin/actions/assets/preview-thumb HTTP/1.1
Host: target-craftcms.local
Content-Type: application/x-www-form-urlencoded
Cookie: <Control-Panel-User-Session>
action=assets/preview-thumb&assetId=4523The server processes this request and responds with a JSON payload containing the generated preview HTML. This HTML includes an img tag where the src attribute is a signed fallback transform URL containing an HMAC parameter. The attacker extracts this signed URL and requests it directly to obtain a rendered thumbnail preview of the restricted asset, bypassing volume-level access controls.
The primary consequence of this vulnerability is unauthorized information disclosure. While the flaw does not permit arbitrary file modification, deletion, or remote code execution, it degrades the confidentiality guarantees provided by Craft CMS asset volumes. Organizations relying on volume permissions to isolate sensitive documentation are particularly vulnerable.
Because the generated preview URL is signed by the application, the backend processes the request as legitimate, bypassing further access controls. This allows unauthorized users to view image thumbnails or document previews that contain sensitive data. Depending on the contents of the assets, this can lead to the exposure of proprietary intellectual property, personal data, or internal business records.
The vulnerability is assessed with a CVSS v3.1 score of 4.3 (Medium). The complexity remains low, and the attack vector is direct over the network, though it requires authentication. The impact is limited strictly to the loss of confidentiality of the affected assets.
The primary remediation strategy is upgrading the Craft CMS installation to a secure release. Organizations utilizing Craft CMS 4.x must update their deployment to version 4.17.8 or higher. Deployments running Craft CMS 5.x must be upgraded to version 5.9.14 or higher.
To execute the upgrade, administrators should update their dependency configuration. Running the command composer update craftcms/cms within the environment pulls the secure versions and applies the code modifications. Verification of the patch can be performed by attempting to access the preview-thumb action for an unauthorized asset and confirming that an HTTP 403 Forbidden status is returned.
If immediate updates are not feasible, temporary mitigation requires restricting access to the Control Panel interface. Administrators can limit Control Panel access to trusted internal networks or implement strict Web Application Firewall (WAF) rules to monitor requests directed at the assets/preview-thumb action. These measures reduce the exposure window until the software can be patched.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N| Product | Affected Versions | Fixed Version |
|---|---|---|
Craft CMS Craft CMS | >= 4.0.0, < 4.17.8 | 4.17.8 |
Craft CMS Craft CMS | >= 5.0.0, < 5.9.14 | 5.9.14 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-862 |
| Attack Vector | Network (AV:N) |
| CVSS Score | 4.3 (Medium) |
| Impact | Information Disclosure / Private Asset Access |
| Exploit Status | PoC / Theoretical |
| KEV Status | Not Listed |
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
A logic error in the cut utility of uutils coreutils prior to version 0.8.0 causes the utility to ignore the -s (suppress non-delimited records) flag when invoked with the zero-terminated (-z) and empty delimiter (-d '') flags in combination. This results in unintended preservation of undelimited input streams, which breaks the functional parity with GNU coreutils and leads to potential data integrity issues in automated data processing pipelines.
CVE-2026-55792 represents a sensitive file disclosure vulnerability in Craft CMS. The issue arises from the inclusion of the `dataUrl()` function in the Twig sandbox allowlist combined with incomplete path validation inside the underlying helper method. Attackers with low-privileged control panel access can exploit this flaw to read and exfiltrate the `.env` configuration file.
A security inspection bypass vulnerability exists in the printenv utility of uutils coreutils (a Rust-based implementation of GNU coreutils) prior to version 0.6.0. Due to a semantic mismatch between POSIX environment variable specifications and Rust's strict UTF-8 validation rules, environment variables containing invalid UTF-8 byte sequences are silently omitted from printenv outputs. This allows local attackers to load and execute adversarial environment variables while remaining undetected by system administrators and automated security auditing tools.
CVE-2026-35371 is a logical validation vulnerability (CWE-451) in the Rust-based GNU coreutils clone (uutils/coreutils). When formatting pretty-print statistics for a process where the real User ID (UID) and effective User ID (EUID) differ, the id utility mistakenly uses the effective Group ID (EGID) to retrieve the effective user name. This mismatch can mislead administrative scripts or system administrators who rely on the command's stdout to verify privilege states.
CVE-2026-35339 is a logic vulnerability in the Rust-written `uutils/coreutils` implementation of the `chmod` utility. When executing recursively (`-R` or `--recursive`) over multiple target paths, the utility fails to accumulate the overall exit status, overwriting error codes from early failures with the status of the final target. This results in false-success exit codes (0), potentially leading security automation and deployment scripts to assume permission modifications succeeded when they actually failed.
A path validation bypass vulnerability exists in the chmod utility of uutils/coreutils before version 0.6.0. The '--preserve-root' safety mechanism relies on a literal string comparison, allowing local users to bypass root directory protection via unnormalized paths (such as '/../' or symbolic links) and recursively alter system-wide permissions.