CVE-2026-56385
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk12th percentile — higher than 12% of all known CVEs
Summary
Craft CMS versions >= 5.0.0-RC1, <= 5.9.13 and >= 4.0.0-RC1, <= 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. This vulnerability allows low-privileged authenticated users to bypass view authorization for assets.
Risk Assessment
The organization may be exposed to the disclosure of private asset data, potentially leading to privacy breaches and data security issues.
Recommendation
It is recommended to upgrade to versions 5.9.14 or 4.17.8 to mitigate this security vulnerability.
Original NVD description (English source)
Craft CMS versions >= 5.0.0-RC1, <= 5.9.13 and >= 4.0.0-RC1, <= 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to supply a controlled assetId for an asset they are not permitted to view and still receive preview response data (previewHtml), including a private preview image route containing the target private assetId. Fixed in 5.9.14 and 4.17.8.

