logo

Database

Improper authorization control for web services In craftcms/cms

Description

Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users

Summary

A low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint.

The endpoint returns private editing metadata without per-asset authorization validation.

Root-cause analysis:

    actionImageEditor() accepts assetId from the request body.

    The asset is loaded, and the focal-point data is read.

    Response returns html and focalPoint.

    No explicit authorization check is applied before the response.

Affected deployments:

    Craft sites where asset edit metadata should remain restricted to authorized users.

Security consequence:

    Unauthorized users can extract private editor metadata and related editor context for inaccessible assets.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-331612. NVD-2026-331613. OSV-2026-331614. GHSA-vgjg-248p-rfm25. GCVE-2026-33161

References

1. https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm22. https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb273. https://github.com/craftcms/cms/releases/tag/4.17.84. https://github.com/craftcms/cms/releases/tag/5.9.14

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.