CVE-2026-33160 is an authorization bypass vulnerability identified in the Craft CMS content management system, affecting versions from 4.0.0-RC1 up to but not including 4.17.8, and from 5.0.0-RC1 up to but not including 5.9.14. The vulnerability arises because the assets/generate-transform endpoint is accessible anonymously and does not enforce authorization checks on the assetId parameter. An attacker can supply a private assetId to this endpoint and receive a valid URL for a transformed version of the image asset. Subsequently, the attacker can fetch the transformed image bytes without authentication or authorization. This flaw is categorized under CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-862 (Missing Authorization). The vulnerability allows unauthorized disclosure of private image assets, potentially exposing sensitive or confidential media content. The CVSS 4.0 base score is 2.7, reflecting a low severity primarily due to the limited impact on confidentiality and no impact on integrity or availability, combined with the ease of exploitation without authentication or user interaction. The vulnerability has been addressed in Craft CMS versions 4.17.8 and 5.9.14 by enforcing proper authorization checks on the assets/generate-transform endpoint to ensure only authorized users can access private asset transformations.

The primary impact of this vulnerability is unauthorized disclosure of private image assets stored in Craft CMS. Organizations using affected versions may inadvertently expose sensitive media files to unauthenticated attackers, which could lead to privacy violations, leakage of proprietary or confidential information, or reputational damage. While the vulnerability does not allow modification or deletion of assets, the exposure of private content can be significant depending on the nature of the images stored. This could affect websites that rely on Craft CMS for managing sensitive media such as internal documents, product designs, or personal user data. The low CVSS score indicates limited risk to system integrity or availability, but confidentiality impact varies by use case. Since the endpoint is anonymous and requires no user interaction, exploitation is straightforward for remote attackers. No known exploits have been reported in the wild, but the vulnerability should be considered a risk for organizations with sensitive media assets hosted on vulnerable Craft CMS versions.

Organizations should immediately upgrade Craft CMS to version 4.17.8 or 5.9.14 or later, where the vulnerability has been patched with proper authorization enforcement on the assets/generate-transform endpoint. Until upgrades can be applied, administrators should consider restricting access to the assets/generate-transform endpoint via web application firewalls (WAFs) or network-level controls to trusted users only. Implementing strict access controls on private asset storage and monitoring access logs for unusual requests to the transform endpoint can help detect exploitation attempts. Additionally, reviewing and minimizing the number of private assets exposed through transformations reduces risk. Developers should audit custom plugins or integrations that interact with asset transformations to ensure they do not bypass authorization checks. Regularly applying security updates and following vendor advisories for Craft CMS is critical to maintaining a secure environment.