CVE-2026-44012

Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.0.0-RC1 through 5.9.17

Description The actionShowInFolder() function within the AssetsController fetches an asset by ID and returns its filename and complete folder hierarchy, including volume handle, volume UID, folder names, folder UIDs, and folder URI paths. This process occurs without verifying if the requesting user possesses viewAssets or viewPeerAssets permissions on the asset's volume. Consequently, any authenticated control panel user, regardless of their volume permissions, can enumerate asset filenames and the full folder structure of any volume by providing arbitrary asset IDs. This exposure includes sensitive structural data such as private document repositories and confidential media, which could facilitate further targeted attacks to exfiltrate files.

Recommendations Update to version 5.9.18. As a temporary workaround, restrict access to the actionShowInFolder() function within the AssetsController to minimize the risk of unauthorized data enumeration.