Unrated severityNVD Advisory· Published Jun 21, 2026

Craft CMS - Authorization Bypass in assets/preview-file Endpoint

CVE-2026-56385

Description

Craft CMS versions >= 5.0.0-RC1, <= 5.9.13 and >= 4.0.0-RC1, <= 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to supply a controlled assetId for an asset they are not permitted to view and still receive preview response data (previewHtml), including a private preview image route containing the target private assetId. Fixed in 5.9.14 and 4.17.8.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Craftcms/Craft CMSllm-fuzzy
Range: >=5.0.0-RC1, <=5.9.13; >=4.0.0-RC1, <=4.17.7

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27mitrepatch
github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhqmitrevendor-advisory
www.vulncheck.com/advisories/craft-cms-authorization-bypass-in-assets-preview-file-endpointmitrethird-party-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000