CVE-2026-56385 craftcms CVE debrief

Who should care

Defenders responsible for Craft CMS installations should prioritize patching affected systems to limit exposure. This includes administrators, security teams, and developers who manage Craft CMS instances. Additionally, users with low privileges who can access the affected endpoint should be aware of the potential risk.

Technical summary

The vulnerability exists in the assets/preview-file endpoint of Craft CMS. The endpoint does not enforce per-asset view authorization, allowing an authenticated low-privileged user to supply a controlled assetId for an asset they are not permitted to view. The user can still receive preview response data (previewHtml), including a private preview image route containing the target private assetId. The CVSS score for this vulnerability is 5.3, indicating a medium severity.

Defensive priority

Defenders should prioritize patching affected systems to limit exposure to potential unauthorized access to private assets.

Recommended defensive actions

• Apply patches to upgrade to Craft CMS versions 5.9.14 or 4.17.8
• Review and limit access to the assets/preview-file endpoint
• Monitor for suspicious activity related to asset previews
• Inventory Craft CMS installations to identify affected systems
• Review user privileges and limit access to sensitive assets

Evidence notes

The vulnerability is confirmed to exist in Craft CMS versions >= 5.0.0-RC1, <= 5.9.13 and >= 4.0.0-RC1, <= 4.17.7. The primary evidence for this vulnerability comes from the official CVE record and the vendor's security advisory. Defenders should verify the affected versions and apply patches accordingly.

Official resources