VDB
KO
MEDIUM

GHSA-x76w-8c62-48mg

Craft CMS: Authenticated "assets/preview-thumb" discloses signed fallback transform preview link to CP users without asset-view permission

Details

### Summary

A user with Control Panel access but without permission to view a target private asset can call `assets/preview-thumb` and receive preview HTML that contains a signed fallback transform link for that private asset.

### Details

Root-cause analysis: 1. The endpoint accepts an attacker-controlled `assetId`. 2. Asset is resolved, and thumbnail HTML is returned. 3. No explicit asset-view permission check is performed before preview generation.

### Impact

Type:

1. Missing authorization 2. Unauthorized preview-link disclosure

Affected deployments:

1. Craft sites with control panel users who have partial permissions and private assets.

Security consequence:

1. A control panel user without asset-view permission can still obtain signed preview transform link data for private assets. 2. This may increase private asset exposure risk depending on deployment and endpoint chaining.

## Resources

https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / craftcms/cms
Introduced in: 4.0.0-RC1 Fixed in: 4.17.8
Fix composer require craftcms/cms:^4.17.8
Packagist / craftcms/cms
Introduced in: 5.0.0-RC1 Fixed in: 5.9.14
Fix composer require craftcms/cms:^5.9.14

References