CVE-2026-33160
Craft CMS: Anonymous "generate transform" calls for assets can expose private assets via transform URL
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
15th
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL. This issue has been patched in versions 4.17.8 and 5.9.14.
| CWE | CWE-639 CWE-862 |
| Vendor | craftcms |
| Product | cms |
| Published | Mar 24, 2026 |
| Last Updated | Mar 26, 2026 |
Stay Ahead of the Next One
Get instant alerts for craftcms cms
Be the first to know when new unknown vulnerabilities affecting craftcms cms are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
craftcms / cms
>= 4.0.0-RC1, < 4.17.8 >= 5.0.0-RC1, < 5.9.14