SB2026032462 - Multiple vulnerabilities in Craft CMS

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Missing Authentication for Critical Function (CVE-ID: CVE-2026-33159)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to missing authentication for critical function. A remote attacker can execute project configuration sync operations.

2) Missing Authorization (CVE-ID: CVE-2026-33162)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to missing authorization in "entries/move-to-section". A remote user can move entries without section permissions.

3) Missing Authorization (CVE-ID: N/A)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to missing authorization within the assets/preview-file. A remote user without asset access can retrieve private preview metadata.

4) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-33160)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to authorization bypass through user-controlled key. A remote attacker can expose private assets via transform URL.

5) Information disclosure (CVE-ID: CVE-2026-33158)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check. A remote attacker can read private asset contents when editing an asset.

6) Missing Authorization (CVE-ID: CVE-2026-33161)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to missing authorization in "assets/image-editor". A remote user can extract private editor metadata and related editor context for inaccessible assets.

Remediation

Install update from vendor's website.

References

• https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w
• https://github.com/craftcms/cms/security/advisories/GHSA-f582-6gf6-gx4g
• https://github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq
• https://github.com/craftcms/cms/security/advisories/GHSA-5pgf-h923-m958
• https://github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c
• https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2