CVE Catalog

CVE-2026-50284

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

In Craft CMS versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, the folder deletion function does not enforce peer asset deletion permissions. A low-privilege user can delete folders and all contained assets, including those uploaded by other users.

Risk Assessment

The organization is at risk of unauthorized asset deletion by low-privilege users, potentially leading to data loss and system integrity compromise.

Recommendation

Immediately update Craft CMS to version 4.17.15 or 5.9.22, which contain the fix for this vulnerability.

Original NVD description (English source)

Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, theAssetsController::actionDeleteFolder() only requires the deleteAssets:<volume-uid> permission for the target folder. It never enforces deletePeerAssets:<volume-uid>, even though Assets::deleteFoldersByIds() cascades deletion to every descendant folder and every asset inside, regardless of the uploader's assigned privileges. A low-privilege user who has been granted folder-management rights on a shared volume can therefore destroy assets uploaded by other users (peer assets), bypassing the per-asset peer-permission check that the sibling actionDeleteAsset endpoint correctly applies. This issue has been fixed in versions 4.17.15 and 5.9.22.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS