PT-2026-55266 · Craft Cms · Craft Cms

Cataliniovita-Snyk

+1

·

Published

2026-07-02

·

Updated

2026-07-02

·

CVE-2026-50282

CVSS v4.0

7.1

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.0.0-RC1 through 5.9.20 Craft CMS versions 4.0.0-RC1 through 4.17.13
Description An authorization issue exists where a forced folder move can delete a conflicting destination folder even if the user lacks the required destination delete permissions. The craftcontrollersAssetsController::actionMoveFolder() function allows moving an asset folder into a destination parent folder. When a folder with the same name already exists at the destination, the action can be executed with the force parameter set to true to overwrite the destination. The system fails to verify deleteAssets permissions on the destination volume or the conflicting folder, allowing the deletion of the destination folder and its contents. This can lead to asset loss, broken references in entries and fields, and operational disruption.
Recommendations Update Craft CMS to version 5.9.21. Update Craft CMS to version 4.17.14.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-50282
GHSA-3W32-23WJ-RXG3

Affected Products

Craft Cms