Craft CMS, a popular content management system, contains a vulnerability identified as CVE-2026-33161 that affects versions from 4.0.0-RC1 up to but not including 4.17.8, and from 5.0.0-RC1 up to but not including 5.9.14. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information) and CWE-862 (Missing Authorization). Specifically, a low-privileged authenticated user can invoke the assets/image-editor API endpoint with the identifier of a private asset they are not authorized to access. Despite lacking permission to view the asset, the endpoint responds with editing metadata, including focalPoint data, which is intended to be private. This occurs because the endpoint does not enforce per-asset authorization validation before returning this sensitive metadata. The exposure is limited to metadata related to image editing and does not include the asset content itself. The vulnerability does not require user interaction and can be exploited remotely by any authenticated user with low privileges. The CVSS 4.0 base score is 1.3, reflecting a low severity due to limited impact and the requirement for authentication. The flaw has been addressed in Craft CMS versions 4.17.8 and 5.9.14 by implementing proper authorization checks on the affected endpoint. No public exploits or active exploitation campaigns have been reported to date.

The primary impact of CVE-2026-33161 is the unauthorized disclosure of sensitive image editing metadata, such as focalPoint information, which could reveal details about private assets that users or organizations intended to keep confidential. While this does not expose the actual asset content or allow modification, the leaked metadata could assist attackers in profiling the asset repository, understanding asset usage, or planning further targeted attacks. For organizations relying on Craft CMS to manage sensitive or proprietary media content, this information leakage could undermine privacy policies and compliance requirements. However, the impact is limited by the need for an authenticated user account with at least low privileges, reducing the risk from external unauthenticated attackers. The vulnerability does not affect system integrity or availability, and no known active exploitation has been observed, further limiting its immediate threat. Nonetheless, in environments where user accounts are widely distributed or where insider threats exist, this vulnerability could facilitate reconnaissance and information gathering.

Organizations using Craft CMS should upgrade affected installations to version 4.17.8 or 5.9.14 or later, where the vulnerability has been patched with proper authorization checks. Until upgrades can be applied, administrators should restrict access to the assets/image-editor endpoint to only trusted users and monitor authenticated user activity for unusual access patterns to private assets. Implementing strict role-based access controls (RBAC) and minimizing the number of users with authenticated access can reduce exposure. Additionally, reviewing and tightening permissions on private assets and auditing asset metadata exposure can help identify and mitigate risks. Web application firewalls (WAFs) may be configured to detect and block suspicious requests targeting the vulnerable endpoint. Finally, organizations should maintain regular patch management processes and monitor vendor advisories for related vulnerabilities.