PT-2026-54780 · Craft Cms · Craft Cms

Cataliniovita-Snyk

+1

·

Published

2026-07-01

·

Updated

2026-07-02

·

CVE-2026-50283

CVSS v4.0

5.3

Medium

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 through 4.17.13 Craft CMS versions 5.0.0-RC1 through 5.9.20
Description An authorization issue exists in the AssetsController::actionReplaceFile() function. The system allows replacing a target asset file using another existing asset as the source. When both assetId and sourceAssetId are provided, the permission check is only performed against the target asset, bypassing the deletion check for the source asset volume. Consequently, an authenticated user with replace permissions in one volume can delete assets in another volume where they lack delete permissions, provided they have the sourceAssetId. This can result in data loss and broken content references.
Recommendations Update Craft CMS versions 4.0.0-RC1 through 4.17.13 to version 4.17.14. Update Craft CMS versions 5.0.0-RC1 through 5.9.20 to version 5.9.21.

Exploit

Fix

Missing Authorization

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-50283
GHSA-QH45-9G5P-M2V4

Affected Products

Craft Cms