Moderate severityOSV Advisory· Published Jan 5, 2026· Updated Jan 6, 2026

Craft CMS vulnerable to potential information disclosure via unchecked asset relocation

CVE-2025-68436

Description

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2025-68436 allows authenticated users to expose sensitive assets via crafted profile photo requests in Craft CMS versions before 5.8.21 and 4.16.17.

Vulnerability

Overview

CVE-2025-68436 is an information disclosure vulnerability affecting Craft CMS, a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users can potentially expose sensitive assets on a Craft installation by submitting maliciously crafted requests related to their user profile photo [1][2]. The root cause lies in the user model's handling of the photoId attribute, which was not properly restricted during mass assignment. The fix, visible in the commit adds a safeAttributes() method that explicitly excludes photoId from the list of safe attributes, preventing attackers from manipulating it via bulk assignment [4].

Exploitation and

Attack Surface

To exploit this vulnerability, an attacker must be an authenticated user on the Craft installation. No special crafted requests targeting the user profile photo functionality can cause the application to relocate or expose assets that should not be accessible to that user. The attack does not require any special privileges beyond a valid user account [1][2]. The vulnerability is present in both the 5.x and 4.x release lines, covering a wide range of versions.

Impact

Successful exploitation could lead to the disclosure of sensitive assets, such as files or images that are normally restricted. This could include private media, configuration files, or other resources stored on the server. The exact scope of exposed assets depends on the specific Craft installation and its asset configuration [1][1][2].

Mitigation

The vulnerability has been patched in Craft CMS versions 5.8.21 and 4.16.17. Users are strongly advised to update to these patched versions immediately. No workarounds have been publicly documented, and the vendor recommends updating as the sole mitigation [1][2]. The fix is included in the official repository commit [4].

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
craftcms/cmsPackagist	>= 5.0.0-RC1, < 5.8.21	5.8.21
craftcms/cmsPackagist	>= 4.0.0-RC1, < 4.16.17	4.16.17

Affected products

Craftcms/CMSOSV
Craftcms/Craftllm-fuzzy
Range: >=5.0.0-RC1 <=5.8.20 || >=4.0.0-RC1 <=4.16.16

Patches

4bcb0db554e2

Fixed GHSA-53vf-c43h-j2x9

https://github.com/craftcms/cmsbrandonkellyDec 3, 2025via ghsa

commit

2 files changed · +9 −0

CHANGELOG.md+1 −0 modified

@@ -9,6 +9,7 @@
 - Fixed RCE vulnerabilities. (GHSA-255j-qw47-wjh5, GHSA-742x-x762-7383)
 - Fixed an SSRF vulnerability. (GHSA-x27p-wfqw-hfcc)
 - Fixed a DoS vulnerability. (GHSA-v64r-7wg9-23pr)
+- Fixed an information disclosure vulnerability. (GHSA-53vf-c43h-j2x9)
 
 ## 4.16.16 - 2025-11-18

src/elements/User.php+8 −0 modified

@@ -898,6 +898,14 @@ protected function defineRules(): array
         return $rules;
     }
 
+    /**
+     * @inheritdoc
+     */
+    public function safeAttributes(): array
+    {
+        return ArrayHelper::withoutValue(parent::safeAttributes(), 'photoId');
+    }
+
     /**
      * @inheritdoc
      */

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-53vf-c43h-j2x9ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-68436ghsaADVISORY
github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9ghsax_refsource_MISCWEB
github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000