PT-2026-55353 · Packagist · Craftcms/Cms
Published
2026-07-02
·
Updated
2026-07-02
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
We have identified an authorization issue in Craft CMS where a forced folder move can delete a conflicting destination folder without destination delete permission.
Description
Craft CMS’s
craftcontrollersAssetsController::actionMoveFolder() supports moving an asset folder into a destination parent folder. If a folder with the same name already exists at the destination, the action can be called with force=true to overwrite the destination.The permission checks for this action allow:
deleteAssets:<sourceVolumeUid>for the folder being movedcreateFolders:<destVolumeUid>for the destination parent foldersaveAssets:<destVolumeUid>for the destination parent folder
The action does not require
deleteAssets on the destination volume or destination conflict folder. When force=true and a name conflict exists, the code deletes the destination folder to resolve the conflict.php
$this->requireVolumePermissionByFolder('deleteAssets', $folderToMove);
$this->requireVolumePermissionByFolder('createFolders', $destinationFolder);
$this->requireVolumePermissionByFolder('saveAssets', $destinationFolder);Indexed destination conflicts are deleted via the Assets service:
php
$assets->deleteFoldersByIds($existingFolder->id);Unindexed destination conflicts are deleted directly in the volume filesystem:
php
$targetVolume->deleteDirectory(rtrim($destinationFolder->path, '/') . '/' . $folderToMove->name);Impact
A user who cannot delete assets in a destination volume can still delete a destination folder and its contents by triggering a forced move into a conflicting name. This can cause asset loss, broken references in entries and fields that point to deleted assets, and operational disruption.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Craftcms/Cms