CVE-2026-50283
Received Received - Intake

Authorization Bypass in Craft CMS Leading to Asset Deletion

Vulnerability report for CVE-2026-50283, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

Craft CMS is a content management system (CMS). Versions 5.0.0-RC1 through 5.9.20, and 4.0.0-RC1 through 4.17.13 contain an authorization issue in the AssetsController::actionReplaceFile that can delete a source asset without source delete permission by supplying both assetId and sourceAssetId. AssetsController::actionReplaceFile() supports replacing a target asset file using another existing asset as the source. The action loads: assetId -> $assetToReplace and sourceAssetId -> $sourceAsset, then enforces replace permissions using ($assetToReplace ?: $sourceAsset). When both IDs are provided, this expression resolves to the target asset so no permission check is performed against the source asset volume. When both assets are present, Craft copies the source file into the target and then deletes the source asset. There is no deletion check for for the source asset. An authenticated user who can replace files in one volume can delete assets in another volume where they do not have delete permission, as long as they can obtain a sourceAssetId, leading to broken content references and data loss. This issue has been fixed in versions 4.17.14 and 5.9.21.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
craftcms craft_cms From 4.0.0 (inc) to 4.17.13 (inc)
craftcms craft_cms From 5.0.0 (inc) to 5.9.20 (inc)
craftcms craft_cms 4.17.14
craftcms craft_cms 5.9.21

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Craft CMS versions 5.0.0-RC1 through 5.9.20 and 4.0.0-RC1 through 4.17.13. It is an authorization issue in the AssetsController::actionReplaceFile function. When a user supplies both assetId and sourceAssetId, the system replaces a target asset file with another existing asset as the source. However, the permission check is only performed against the target asset, not the source asset.

Because of this, an authenticated user who has permission to replace files in one volume can delete assets in another volume where they do not have delete permission by providing a sourceAssetId. This leads to unauthorized deletion of source assets, causing broken content references and data loss.

This issue was fixed in versions 4.17.14 and 5.9.21.

Impact Analysis

This vulnerability can lead to unauthorized deletion of assets in Craft CMS. An attacker with replace file permissions in one volume can delete assets in another volume without having delete permissions there.

The impact includes broken content references and potential data loss, which can disrupt website content and functionality.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade Craft CMS to version 4.17.14 or later, or version 5.9.21 or later, where the issue has been fixed.

Ensure that users who have permission to replace files do not have unnecessary delete permissions on other asset volumes.

Review and restrict permissions related to asset replacement and deletion to minimize the risk of unauthorized deletions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50283. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart