GHSA-x76w-8c62-48mg
Craft CMS: Authenticated "assets/preview-thumb" discloses signed fallback transform preview link to CP users without asset-view permission
Details
### Summary
A user with Control Panel access but without permission to view a target private asset can call `assets/preview-thumb` and receive preview HTML that contains a signed fallback transform link for that private asset.
### Details
Root-cause analysis: 1. The endpoint accepts an attacker-controlled `assetId`. 2. Asset is resolved, and thumbnail HTML is returned. 3. No explicit asset-view permission check is performed before preview generation.
### Impact
Type:
1. Missing authorization 2. Unauthorized preview-link disclosure
Affected deployments:
1. Craft sites with control panel users who have partial permissions and private assets.
Security consequence:
1. A control panel user without asset-view permission can still obtain signed preview transform link data for private assets. 2. This may increase private asset exposure risk depending on deployment and endpoint chaining.
## Resources
https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27
Are you affected?
Enter the version of the package you're using.
Affected packages
4.0.0-RC1 Fixed in: 4.17.8 composer require craftcms/cms:^4.17.8 5.0.0-RC1 Fixed in: 5.9.14 composer require craftcms/cms:^5.9.14