GHSA-5pgf-h923-m958

Source

https://github.com/advisories/GHSA-5pgf-h923-m958

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-5pgf-h923-m958/GHSA-5pgf-h923-m958.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5pgf-h923-m958

Aliases

CVE-2026-33160

Published

2026-03-24T16:59:58Z

Modified

2026-03-25T21:18:57.381396Z

Severity

2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL

Details

Summary

An unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes.

The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL.

Details

Root cause: - Anonymous endpoint accepts user-controlled asset reference. - It creates and returns a transform URL for that asset without checking access rights. - If the transform output is reachable, guest users can read content derived from private assets.

Who is impacted:

Installations where private source assets can be transformed and transform URLs are reachable.

Security consequence:

Anonymous users can obtain content derived from private assets without authentication.

Resources

https://github.com/craftcms/cms/commit/7290d91639e

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2026-03-24T18:16:10Z",
    "cwe_ids": [
        "CWE-639",
        "CWE-862"
    ],
    "github_reviewed_at": "2026-03-24T16:59:58Z",
    "severity": "LOW"
}

References

Affected packages

Packagist / craftcms/cms

Package

Name: craftcms/cms
Purl: pkg:composer/craftcms/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0-RC1

Fixed

5.9.14

Affected versions

5.*

5.0.0-RC1

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.1.7

5.1.8

5.1.9

5.1.10

5.2.0-beta.1

5.2.0-beta.2

5.2.0-beta.3

5.2.0-beta.4

5.2.0-beta.5

5.2.0-beta.6

5.2.0

5.2.1

5.2.2

5.2.3

5.2.4

5.2.4.1

5.2.5

5.2.6

5.2.7

5.2.8

5.2.9

5.2.10

5.3.0-beta.1

5.3.0-beta.2

5.3.0

5.3.0.1

5.3.0.2

5.3.0.3

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.4.0

5.4.0.1

5.4.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.5.1

5.4.6

5.4.7

5.4.7.1

5.4.8

5.4.9

5.4.10

5.4.10.1

5.5.0

5.5.0.1

5.5.1

5.5.1.1

5.5.2

5.5.3

5.5.4

5.5.5

5.5.6

5.5.6.1

5.5.7

5.5.8

5.5.9

5.5.10

5.6.0

5.6.0.1

5.6.0.2

5.6.1

5.6.2

5.6.3

5.6.4

5.6.5

5.6.5.1

5.6.6

5.6.7

5.6.8

5.6.9

5.6.9.1

5.6.10

5.6.10.1

5.6.10.2

5.6.11

5.6.12

5.6.13

5.6.14

5.6.15

5.6.16

5.6.17

5.7.0-beta.1

5.7.0-beta.2

5.7.0

5.7.1

5.7.1.1

5.7.2

5.7.3

5.7.4

5.7.5

5.7.6

5.7.7

5.7.8

5.7.8.1

5.7.8.2

5.7.9

5.7.10

5.7.11

5.8.0

5.8.1

5.8.2

5.8.3

5.8.4

5.8.5

5.8.6

5.8.7

5.8.8

5.8.9

5.8.10

5.8.11

5.8.12

5.8.13

5.8.13.1

5.8.13.2

5.8.14

5.8.15

5.8.16

5.8.17

5.8.18

5.8.19

5.8.20

5.8.21

5.8.22

5.8.23

5.9.0-beta.1

5.9.0-beta.2

5.9.0

5.9.1

5.9.2

5.9.3

5.9.4

5.9.5

5.9.6

5.9.7

5.9.8

5.9.9

5.9.10

5.9.11

5.9.12

5.9.13

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-5pgf-h923-m958/GHSA-5pgf-h923-m958.json"

last_known_affected_version_range

"<= 5.9.13"

Packagist / craftcms/cms

Package

Name: craftcms/cms
Purl: pkg:composer/craftcms/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0-RC1

Fixed

4.17.8

Affected versions

4.*

4.0.0-RC1

4.0.0-RC2

4.0.0-RC3

4.0.0

4.0.0.1

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.5.1

4.0.5.2

4.0.6

4.1.0

4.1.0.1

4.1.0.2

4.1.1

4.1.2

4.1.3

4.1.4

4.1.4.1

4.2.0

4.2.0.1

4.2.0.2

4.2.1

4.2.1.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.5.1

4.2.5.2

4.2.6

4.2.7

4.2.8

4.3.0

4.3.1

4.3.2

4.3.2.1

4.3.3

4.3.4

4.3.5

4.3.6

4.3.6.1

4.3.7

4.3.7.1

4.3.8

4.3.8.1

4.3.8.2

4.3.9

4.3.10

4.3.11

4.4.0-beta.1

4.4.0-beta.2

4.4.0-beta.3

4.4.0-beta.4

4.4.0-beta.5

4.4.0-beta.6

4.4.0-beta.7

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.4.6

4.4.6.1

4.4.7

4.4.7.1

4.4.8

4.4.9

4.4.10

4.4.10.1

4.4.11

4.4.12

4.4.13

4.4.14

4.4.15

4.4.16

4.4.16.1

4.4.17

4.5.0-beta.1

4.5.0-beta.2

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

4.5.5

4.5.6

4.5.6.1

4.5.7

4.5.8

4.5.9

4.5.10

4.5.11

4.5.11.1

4.5.12

4.5.13

4.5.14

4.5.15

4.6.0-RC1

4.6.0

4.6.1

4.7.0

4.7.1

4.7.2

4.7.2.1

4.7.3

4.7.4

4.8.0

4.8.1

4.8.2

4.8.3

4.8.4

4.8.5

4.8.6

4.8.7

4.8.8

4.8.9

4.8.10

4.8.11

4.9.0

4.9.1

4.9.2

4.9.3

4.9.4

4.9.5

4.9.6

4.9.7

4.10.0-beta.1

4.10.0-beta.2

4.10.0

4.10.1

4.10.2

4.10.3

4.10.4

4.10.5

4.10.6

4.10.7

4.10.8

4.11.0

4.11.0.1

4.11.0.2

4.11.1

4.11.2

4.11.3

4.11.4

4.11.5

4.12.0

4.12.1

4.12.2

4.12.3

4.12.4

4.12.4.1

4.12.5

4.12.6

4.12.6.1

4.12.7

4.12.8

4.12.9

4.13.0

4.13.1

4.13.1.1

4.13.2

4.13.3

4.13.4

4.13.5

4.13.6

4.13.7

4.13.8

4.13.9

4.13.10

4.14.0

4.14.0.1

4.14.0.2

4.14.1

4.14.2

4.14.3

4.14.4

4.14.5

4.14.6

4.14.7

4.14.8

4.14.8.1

4.14.9

4.14.10

4.14.11

4.14.11.1

4.14.12

4.14.13

4.14.14

4.14.15

4.15.0-beta.1

4.15.0-beta.2

4.15.0

4.15.0.1

4.15.0.2

4.15.1

4.15.2

4.15.3

4.15.4

4.15.5

4.15.6

4.15.6.1

4.15.6.2

4.15.7

4.16.0

4.16.1

4.16.2

4.16.3

4.16.4

4.16.5

4.16.6

4.16.6.1

4.16.7

4.16.8

4.16.9

4.16.9.1

4.16.10

4.16.11

4.16.12

4.16.13

4.16.14

4.16.15

4.16.16

4.16.17

4.16.18

4.16.19

4.17.0-beta.1

4.17.0-beta.2

4.17.0

4.17.1

4.17.2

4.17.3

4.17.4

4.17.5

4.17.6

4.17.7

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-5pgf-h923-m958/GHSA-5pgf-h923-m958.json"

last_known_affected_version_range

"<= 4.17.7"