Skip to content

Anonymous "assets/image-editor" calls returns private asset editor metadata to unauthorized users

Low
angrybrad published GHSA-vgjg-248p-rfm2 Mar 24, 2026

Package

composer craftcms/cms (Composer)

Affected versions

>= 5.0.0-RC1, <= 5.9.13
>= 4.0.0-RC1, <= 4.17.7

Patched versions

5.9.14
4.17.8

Description

Summary

A low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint.

The endpoint returns private editing metadata without per-asset authorization validation.

Root-cause analysis:

  1. actionImageEditor() accepts assetId from the request body.
  2. The asset is loaded, and the focal-point data is read.
  3. Response returns html and focalPoint.
  4. No explicit authorization check is applied before the response.

Impact

Affected deployments:

  • Craft sites where asset edit metadata should remain restricted to authorized users.

Security consequence:

  • Unauthorized users can extract private editor metadata and related editor context for inaccessible assets.

References

d30df31

Severity

Low

CVE ID

CVE-2026-33161

Weaknesses

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Learn more on MITRE.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action. Learn more on MITRE.

Credits