Skip to content

Anonymous "generate transform" calls for assets can expose private assets via transform URL

Moderate
angrybrad published GHSA-5pgf-h923-m958 Mar 24, 2026

Package

composer craftcms/cms (Composer)

Affected versions

>= 5.0.0-RC1, <= 5.9.13
>= 4.0.0-RC1, <= 4.17.7

Patched versions

5.9.14
4.17.8

Description

Summary

An unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes.

The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL.

Details

Root cause:

  • Anonymous endpoint accepts user-controlled asset reference.
  • It creates and returns a transform URL for that asset without checking access rights.
  • If the transform output is reachable, guest users can read content derived from private assets.

Who is impacted:

  • Installations where private source assets can be transformed and transform URLs are reachable.

Security consequence:

  • Anonymous users can obtain content derived from private assets without authentication.

References

7290d91639e

Severity

Moderate

CVE ID

CVE-2026-33160

Weaknesses

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. Learn more on MITRE.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action. Learn more on MITRE.

Credits