PT-2026-54780 · Craft Cms · Craft Cms
Cataliniovita-Snyk
+1
·
Published
2026-07-01
·
Updated
2026-07-02
·
CVE-2026-50283
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Craft CMS versions 4.0.0-RC1 through 4.17.13
Craft CMS versions 5.0.0-RC1 through 5.9.20
Description
An authorization issue exists in the
AssetsController::actionReplaceFile() function. The system allows replacing a target asset file using another existing asset as the source. When both assetId and sourceAssetId are provided, the permission check is only performed against the target asset, bypassing the deletion check for the source asset volume. Consequently, an authenticated user with replace permissions in one volume can delete assets in another volume where they lack delete permissions, provided they have the sourceAssetId. This can result in data loss and broken content references.Recommendations
Update Craft CMS versions 4.0.0-RC1 through 4.17.13 to version 4.17.14.
Update Craft CMS versions 5.0.0-RC1 through 5.9.20 to version 5.9.21.
Exploit
Fix
Missing Authorization
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Craft Cms