Craft CMS - Authorization Bypass in assets/preview-file Endpoint | Advisories

Advisories

Craft CMS - Authorization Bypass in assets/preview-file Endpoint

severity: medium
date: 6/21/2026
Affecting: cms >= 5.0.0-RC1, < 5.9.14
cms >= 4.0.0-RC1, < 4.17.8
CVE: CVE-2026-56385
CWE: CWE-639 Authorization Bypass Through User-Controlled Key
CVSS: 5.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
References: GHSA Advisory GHSA-44px-qjjc-xrhq
https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27
Credit: GCXWLP
Description: Craft CMS versions >= 5.0.0-RC1, <= 5.9.13 and >= 4.0.0-RC1, <= 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to supply a controlled assetId for an asset they are not permitted to view and still receive preview response data (previewHtml), including a private preview image route containing the target private assetId. Fixed in 5.9.14 and 4.17.8.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo