Craft CMS, a popular content management system, contains an authorization bypass vulnerability identified as CVE-2026-33160 affecting versions from 4.0.0-RC1 up to but not including 4.17.8 and from 5.0.0-RC1 up to but not including 5.9.14. The vulnerability resides in the assets/generate-transform endpoint, which is accessible anonymously and does not validate whether the requesting user is authorized to access the specified asset. By supplying a private assetId, an unauthenticated attacker can generate a valid transform URL and retrieve the transformed image bytes of private assets. This bypasses intended access controls, exposing potentially sensitive media content. The flaw is categorized under CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-862 (Missing Authorization). The vulnerability does not require any privileges or user interaction, making it trivially exploitable. However, the impact is limited to confidentiality loss of image assets, with no integrity or availability implications. The issue has been addressed in Craft CMS versions 4.17.8 and 5.9.14 by enforcing proper authorization checks on the endpoint. No public exploits have been reported, and the CVSS 4.0 score of 2.7 reflects the low severity of this vulnerability.

The primary impact of this vulnerability is unauthorized disclosure of private image assets managed by Craft CMS. Organizations using affected versions risk exposure of sensitive or proprietary media content, which could lead to privacy violations, intellectual property theft, or reputational damage. Since the vulnerability allows unauthenticated access, attackers do not need credentials or user interaction, increasing the ease of exploitation. However, the scope is limited to image asset confidentiality; there is no direct impact on system integrity or availability. The risk is more pronounced for organizations that store sensitive images or proprietary media within Craft CMS. Public-facing websites using vulnerable versions could be targeted to extract private images, potentially aiding further reconnaissance or social engineering attacks. Despite the low CVSS score, the exposure of private assets can have business or legal consequences depending on the nature of the content.

Organizations should upgrade Craft CMS to versions 4.17.8 or 5.9.14 or later, where the authorization checks on the assets/generate-transform endpoint have been properly implemented. Until upgrades can be applied, administrators should consider restricting access to the assets/generate-transform endpoint via web application firewalls or network controls to trusted users only. Review and audit asset permissions within Craft CMS to ensure sensitive images are properly classified and access is limited. Implement monitoring and alerting for unusual requests to the assets/generate-transform endpoint to detect potential exploitation attempts. Additionally, consider obfuscating or relocating sensitive assets outside of the CMS if immediate patching is not feasible. Regularly review vendor advisories and update CMS components promptly to reduce exposure to similar vulnerabilities.