PT-2026-55353 · Packagist · Craftcms/Cms

Published

2026-07-02

·

Updated

2026-07-02

CVSS v4.0

7.1

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
We have identified an authorization issue in Craft CMS where a forced folder move can delete a conflicting destination folder without destination delete permission.

Description

Craft CMS’s craftcontrollersAssetsController::actionMoveFolder() supports moving an asset folder into a destination parent folder. If a folder with the same name already exists at the destination, the action can be called with force=true to overwrite the destination.
The permission checks for this action allow:
  • deleteAssets:<sourceVolumeUid> for the folder being moved
  • createFolders:<destVolumeUid> for the destination parent folder
  • saveAssets:<destVolumeUid> for the destination parent folder
The action does not require deleteAssets on the destination volume or destination conflict folder. When force=true and a name conflict exists, the code deletes the destination folder to resolve the conflict.
php
$this->requireVolumePermissionByFolder('deleteAssets', $folderToMove);
$this->requireVolumePermissionByFolder('createFolders', $destinationFolder);
$this->requireVolumePermissionByFolder('saveAssets', $destinationFolder);
Indexed destination conflicts are deleted via the Assets service:
php
$assets->deleteFoldersByIds($existingFolder->id);
Unindexed destination conflicts are deleted directly in the volume filesystem:
php
$targetVolume->deleteDirectory(rtrim($destinationFolder->path, '/') . '/' . $folderToMove->name);

Impact

A user who cannot delete assets in a destination volume can still delete a destination folder and its contents by triggering a forced move into a conflicting name. This can cause asset loss, broken references in entries and fields that point to deleted assets, and operational disruption.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

GHSA-3W32-23WJ-RXG3

Affected Products

Craftcms/Cms