Craft CMS, a popular content management system, contains an authorization bypass vulnerability identified as CVE-2026-33158 affecting versions 4.0.0-RC1 through 4.17.7 and 5.0.0-RC1 through 5.9.13. The vulnerability arises from insufficient access control enforcement in the assets/edit-image endpoint. Specifically, a low-privileged authenticated user can supply an arbitrary assetId parameter to this endpoint and retrieve the image bytes or a preview redirect for assets they are not authorized to access. This occurs because the endpoint fails to perform per-asset view authorization checks before returning the asset content. The flaw is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), indicating that user-controlled input is used to bypass authorization mechanisms. Exploitation requires authentication but no additional user interaction, and it can be performed remotely. The vulnerability can lead to unauthorized disclosure of private or sensitive files stored within the CMS, potentially exposing confidential information. The issue was addressed and patched in Craft CMS versions 4.17.8 and 5.9.14, where proper authorization checks were implemented to validate asset access rights before serving content.

The primary impact of this vulnerability is unauthorized disclosure of private asset files stored within Craft CMS installations. Organizations using affected versions risk exposure of sensitive images or documents that should be restricted to authorized users only. This can lead to data leakage, loss of confidentiality, and potential reputational damage. Attackers with low-level credentials can escalate their access to view private content without needing elevated privileges, increasing the risk from insider threats or compromised low-privilege accounts. While the vulnerability does not allow modification or deletion of assets, the confidentiality breach alone can be significant, especially for organizations handling sensitive media, intellectual property, or personal data. The ease of exploitation over the network without user interaction increases the threat level. However, the requirement for authentication limits exploitation to users with some level of access, reducing the scope compared to unauthenticated vulnerabilities. Overall, this vulnerability poses a moderate risk to organizations relying on Craft CMS for content management, particularly those with sensitive asset repositories.

To mitigate this vulnerability, organizations should immediately upgrade Craft CMS to versions 4.17.8 or 5.9.14 or later, where the authorization bypass has been fixed. Until upgrades can be applied, administrators should restrict access to the assets/edit-image endpoint to trusted users only and consider implementing additional access controls at the web server or application firewall level to block unauthorized assetId parameters. Conduct an audit of user privileges to ensure that only necessary users have authenticated access to the CMS, minimizing the risk from low-privileged accounts. Monitor access logs for unusual or unauthorized attempts to access asset content via the vulnerable endpoint. If possible, temporarily disable or restrict the use of image editing or preview features that invoke the vulnerable endpoint. Additionally, review and enhance overall access control policies and implement defense-in-depth measures such as network segmentation and strong authentication to reduce the attack surface. Finally, educate users about the importance of safeguarding credentials to prevent exploitation by malicious actors.