PT-2026-55266 · Craft Cms · Craft Cms
Cataliniovita-Snyk
+1
·
Published
2026-07-02
·
Updated
2026-07-02
·
CVE-2026-50282
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Craft CMS versions 5.0.0-RC1 through 5.9.20
Craft CMS versions 4.0.0-RC1 through 4.17.13
Description
An authorization issue exists where a forced folder move can delete a conflicting destination folder even if the user lacks the required destination delete permissions. The
craftcontrollersAssetsController::actionMoveFolder() function allows moving an asset folder into a destination parent folder. When a folder with the same name already exists at the destination, the action can be executed with the force parameter set to true to overwrite the destination. The system fails to verify deleteAssets permissions on the destination volume or the conflicting folder, allowing the deletion of the destination folder and its contents. This can lead to asset loss, broken references in entries and fields, and operational disruption.Recommendations
Update Craft CMS to version 5.9.21.
Update Craft CMS to version 4.17.14.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Craft Cms