CVE-2026-32262
Received Received - Intake
Path Traversal in Craft CMS AssetsController Allows Arbitrary File Deletion

Publication date: 2026-03-16

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController->replaceFile() method has a targetFilename body parameter that is used unsanitized in a deleteFile() call before Assets::prepareAssetName() is applied on save. This allows an authenticated user with replaceFiles permission to delete arbitrary files within the same filesystem root by injecting ../ path traversal sequences into the filename. This could allow an authenticated user with replaceFiles permission on one volume to delete files in other folders/volumes that share the same filesystem root. This only affects local filesystems. This issue has been patched in versions 4.17.5 and 5.9.11.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32262
EUVD
EUVD-2026-12503
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 5.0.0
craftcms craft_cms 5.0.0
craftcms craft_cms From 4.0.0.1 (inc) to 4.17.5 (exc)
craftcms craft_cms From 5.0.1 (inc) to 5.9.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32262 is a low-severity path traversal vulnerability in Craft CMS affecting versions from 4.0.0-RC1 to before 4.17.5 and 5.0.0-RC1 to before 5.9.11. The vulnerability exists in the AssetsController->replaceFile() method, where the targetFilename parameter from the request body is used without proper sanitization in a deleteFile() call before the filename is processed for saving.'}, {'type': 'paragraph', 'content': 'This allows an authenticated user with replaceFiles permission to inject "../" sequences into the filename, enabling them to delete arbitrary files within the same filesystem root. Essentially, a user with permission to replace files on one volume can delete files in other folders or volumes sharing the same filesystem root. The vulnerability only affects local filesystems.'}, {'type': 'paragraph', 'content': "The issue was fixed by adding validation to reject filenames containing directory traversal characters such as '/' or '\\', preventing this kind of attack."}] [1, 2]

Impact Analysis

This vulnerability can allow an authenticated user with replaceFiles permission to delete arbitrary files within the same filesystem root by exploiting path traversal sequences in filenames.

The impact is that files outside the intended directory or volume can be deleted, potentially causing data loss or disruption of service.

Since the vulnerability only affects local filesystems, remote or networked filesystems are not impacted.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves an authenticated user with replaceFiles permission exploiting the targetFilename parameter to perform directory traversal and delete arbitrary files. Detection would involve monitoring for unusual file deletion activities or suspicious requests to the AssetsController->replaceFile() endpoint containing path traversal sequences such as "../" or slashes in the targetFilename parameter.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect potential exploitation attempts include searching web server logs or application logs for requests to the replaceFile endpoint with suspicious filename parameters:'}, {'type': 'list_item', 'content': "grep -i 'replaceFile' /path/to/access.log | grep '\\.\\./'"}, {'type': 'list_item', 'content': "grep -i 'replaceFile' /path/to/access.log | grep '/'"}, {'type': 'list_item', 'content': "Review application logs for BadRequestHttpException errors indicating blocked attempts containing '/' or '\\' in targetFilename."}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation step is to update Craft CMS to a patched version where this vulnerability is fixed. Specifically, upgrade to version 4.17.5 or later if using the 4.x series, or version 5.9.11 or later if using the 5.x series.'}, {'type': 'paragraph', 'content': "The fix includes validation that rejects targetFilename parameters containing directory traversal characters such as '/' or '\\', preventing exploitation."}, {'type': 'paragraph', 'content': 'Additionally, review and restrict permissions to ensure only trusted authenticated users have the replaceFiles permission, minimizing the risk of exploitation.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32262. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart