CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-x76w-8c62-48mg: Craft CMS: Authenticated "assets/preview-thumb" discloses signed fallback transform preview link to CP users without asset-view permission

medium
Summary A user with Control Panel access but without permission to view a target private asset can call assets/preview-thumb and receive preview HTML that contains a signed fallback transform link for that private asset. Details Root-cause analysis: 1. The endpoint accepts an attacker-controlled assetId. 2. Asset is resolved, and thumbnail HTML is returned. 3. No explicit asset-view permission check is performed before preview generation. Impact Type: 1. Missing authorization 2. Unauthorized preview-link disclosure Affected deployments: 1. Craft sites with control panel users who have partial permissions and private assets. Security consequence: 1. A control panel user without asset-view permission can still obtain signed preview transform link data for private assets. 2. This may increase private asset exposure risk depending on deployment and endpoint chaining. Resources https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium
Published
2026-07-06
Last updated
2026-07-06
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-x76w-8c62-48mg

More from GitHub Security Advisories