Skip to content

Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata

Low
angrybrad published GHSA-44px-qjjc-xrhq Mar 24, 2026

Package

composer craftcms/cms (Composer)

Affected versions

>= 5.0.0-RC1, <= 5.9.13
>= 4.0.0-RC1, <= 4.17.7

Patched versions

5.9.14
4.17.8

Description

Summary

An authenticated low-privileged user can call assets/preview-file for an asset they are not authorized to view and still receive preview response data (previewHtml) for that private asset.

The returned preview HTML included a private preview image route containing the target private assetId, even though canView was false for the attacker account.

Details

  1. assets/preview-file accepts a maliciously controlled assetId and renders preview output.
  2. The action does not enforce per-asset view authorization prior to returning preview content.
  3. As a result, an authenticated user without asset-view permission can still obtain private preview output.

This affects Craft installations with authenticated users of mixed privilege levels with private assets.

References

Severity

Low

CVE ID

No known CVE

Weaknesses

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Learn more on MITRE.

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. Learn more on MITRE.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action. Learn more on MITRE.

Credits