CVE-2026-50282
MediumCVSS 4.9Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
Craft CMS versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14 contain an authorization issue where a forced folder move can delete a conflicting destination folder without the required delete permission. The vulnerability is in the actionMoveFolder() function of the AssetsController.
Risk Assessment
An attacker can delete folders in the CMS without proper permissions, potentially causing data loss or application disruption.
Recommendation
Update Craft CMS to version 5.9.21 or 4.17.14 immediately to remediate the vulnerability.
Original NVD description (English source)
Craft CMS is a content management system (CMS). Versions 5.0.0-RC1 and above, prior to 5.9.21 and versions 4.0.0-RC1 and above prior to 4.17.14 contain an authorization issue where a forced folder move can delete a conflicting destination folder without destination delete permission. Function craft\\controllers\\AssetsController::actionMoveFolder() supports moving an asset folder into a destination parent folder. If a folder with the same name already exists at the destination, the action can be called with force=true to overwrite the destination. This issue has been resolved in versions 5.9.21 and 4.17.14.

