CVE-2026-56384 craftcms CVE debrief

Who should care

Defenders responsible for Craft CMS installations, particularly those with Control Panel users who have access to private assets, should be aware of this vulnerability. Additionally, security teams and administrators managing Craft CMS should prioritize patching to mitigate potential exposure.

Technical summary

The vulnerability exists in the assets/preview-thumb endpoint of Craft CMS, where no asset-view permission check is performed before preview generation. This allows an attacker to bypass authorization and access preview HTML for private assets by providing a controlled assetId. The issue affects multiple versions of Craft CMS, including 4.0.0-RC1 to 4.17.7 and 5.0.0-RC1 to 5.9.13, and is fixed in versions 4.17.8 and 5.9.14.

Defensive priority

Medium priority due to CVSS score of 5.3 and potential for unauthorized access to private asset previews.

Recommended defensive actions

• Apply patches to version 4.17.8 or 5.9.14
• Review and restrict access to the assets/preview-thumb endpoint
• Monitor for suspicious activity related to asset previews
• Inventory Craft CMS installations and versions
• Verify official advisories for additional guidance

Evidence notes

The vulnerability is confirmed by the CVE record and NVD detail. Primary evidence includes the CVE description, CVSS vector, and references to source code changes and security advisories. Affected product versions are 4.0.0-RC1 to 4.17.7 and 5.0.0-RC1 to 5.9.13. Defenders should verify Craft CMS versions and apply patches to mitigate exposure.

Official resources