CVE-2026-50282
Deferred Deferred - Pending Action

Authorization Bypass in Craft CMS via Folder Move

Vulnerability report for CVE-2026-50282, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: GitHub, Inc.

Description

Craft CMS is a content management system (CMS). Versions 5.0.0-RC1 and above, prior to 5.9.21 and versions 4.0.0-RC1 and above prior to 4.17.14 contain an authorization issue where a forced folder move can delete a conflicting destination folder without destination delete permission. Function craft\\controllers\\AssetsController::actionMoveFolder() supports moving an asset folder into a destination parent folder. If a folder with the same name already exists at the destination, the action can be called with force=true to overwrite the destination. This issue has been resolved in versions 5.9.21 and 4.17.14.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
craftcms craft_cms From 5.0.0-RC1 (inc) to 5.9.21 (exc)
craftcms craft_cms From 4.0.0-RC1 (inc) to 4.17.14 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-50282 is a vulnerability in Craft CMS versions 4.0.0-RC1 to 4.17.14 and 5.0.0-RC1 to 5.9.20 that involves an authorization issue during forced folder moves.

Specifically, the vulnerability exists in the actionMoveFolder() method of the AssetsController class, which allows moving an asset folder into a destination parent folder.

If a folder with the same name already exists at the destination, using the force=true parameter will overwrite the destination folder.

However, the system does not check for delete permissions on the destination folder or volume, only on the source volume and create/save permissions on the destination.

This means an attacker with create and save permissions on the destination can delete folders and their contents without proper authorization.

Impact Analysis

This vulnerability can lead to unauthorized deletion of folders and their contents in the Craft CMS asset management system.

  • Loss of important assets stored in the deleted folders.
  • Broken references in entries and fields that rely on the deleted assets.
  • Operational disruption due to missing or corrupted content.
Mitigation Strategies

To mitigate this vulnerability, you should upgrade Craft CMS to a fixed version.

  • Upgrade to version 4.17.14 or later if you are using the 4.x series.
  • Upgrade to version 5.9.21 or later if you are using the 5.x series.

These versions contain patches that fix the authorization issue allowing unauthorized deletion of destination folders during forced moves.

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50282. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart