Craft CMS, a popular content management system, contains an authorization bypass vulnerability identified as CVE-2026-33158, classified under CWE-639 (Authorization Bypass Through User-Controlled Key). The flaw exists in versions from 4.0.0-RC1 up to but not including 4.17.8 and from 5.0.0-RC1 up to but not including 5.9.14. The vulnerability arises because the assets/edit-image endpoint fails to enforce per-asset view authorization checks when processing requests containing an arbitrary assetId parameter. Consequently, a low-privileged authenticated user can request image data or preview redirects for assets they should not have permission to access, leading to unauthorized disclosure of private files. The vulnerability is exploitable remotely without requiring user interaction or elevated privileges beyond basic authentication. The CVSS 4.0 base score is 4.9 (medium severity), reflecting network attack vector, low complexity, no privileges required beyond authentication, and high impact on confidentiality. The issue was publicly disclosed on March 24, 2026, and patches were released in Craft CMS versions 4.17.8 and 5.9.14 to properly enforce authorization checks on asset access. No known exploits have been reported in the wild to date, but the flaw presents a significant risk to confidentiality of sensitive assets stored in affected CMS instances.

The primary impact of this vulnerability is unauthorized disclosure of private asset files stored within Craft CMS installations. Organizations using vulnerable versions risk exposure of sensitive images or documents that should be restricted to authorized users only. This can lead to data breaches, loss of intellectual property, privacy violations, and reputational damage. Since the flaw allows low-privileged authenticated users to bypass access controls, insider threats or compromised low-level accounts can be leveraged to escalate data access. The vulnerability does not affect system integrity or availability directly but compromises confidentiality significantly. Enterprises relying on Craft CMS for managing sensitive content, such as media companies, e-commerce platforms, and corporate intranets, are particularly at risk. The ease of exploitation over the network without user interaction increases the likelihood of unauthorized data access if patches are not applied promptly.

1. Upgrade Craft CMS installations to version 4.17.8 or later if using the 4.x branch, or to version 5.9.14 or later if using the 5.x branch, as these versions contain the official patch addressing the authorization bypass. 2. Implement strict access control policies and monitor user permissions to limit low-privileged user access to sensitive asset management functions. 3. Conduct regular audits of asset access logs to detect unusual or unauthorized retrieval attempts. 4. If immediate upgrade is not feasible, consider implementing web application firewall (WAF) rules to restrict or monitor requests to the assets/edit-image endpoint, especially those containing arbitrary assetId parameters. 5. Educate administrators and developers about the importance of enforcing per-asset authorization checks in custom CMS extensions or plugins. 6. Regularly review and update CMS security configurations and apply security patches promptly to reduce exposure to known vulnerabilities.