CVE-2026-56384

Severity CVSS v4.0:
MEDIUM
Type:
Unavailable / Other
Publication date:
21/06/2026
Last modified:
24/06/2026

Description

Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview link for that private asset, because no asset-view permission check is performed before preview generation. This affects versions >= 4.0.0-RC1, = 5.0.0-RC1,