CVE-2026-56384
Severity CVSS v4.0:
MEDIUM
Type:
Unavailable / Other
Publication date:
21/06/2026
Last modified:
24/06/2026
Description
Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview link for that private asset, because no asset-view permission check is performed before preview generation. This affects versions >= 4.0.0-RC1, = 5.0.0-RC1,
Impact
Base Score 4.0
5.30
Severity 4.0
MEDIUM
Base Score 3.x
4.30
Severity 3.x
MEDIUM



