CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-3w32-23wj-rxg3: Craft CMS Vulnerable to Unauthorized Deletion of Destination Folders During Forced Moves

highCVE-2026-50282
We have identified an authorization issue in Craft CMS where a forced folder move can delete a conflicting destination folder without destination delete permission. Description Craft CMS’s craft\\controllers\\AssetsController::actionMoveFolder() supports moving an asset folder into a destination parent folder. If a folder with the same name already exists at the destination, the action can be called with force=true to overwrite the destination. The permission checks for this action allow: - deleteAssets:<sourceVolumeUid> for the folder being moved - createFolders:<destVolumeUid> for the destination parent folder - saveAssets:<destVolumeUid> for the destination parent folder The action does not require deleteAssets on the destination volume or destination conflict folder. When force=true and a name conflict exists, the code deletes the destination folder to resolve the conflict. $this->requireVolumePermissionByFolder('deleteAssets', $folderToMove); $this->requireVolumePermissionByFolder('createFolders', $destinationFolder); $this->requireVolumePermissionByFolder('saveAssets', $destinationFolder); *src/controllers/AssetsController.php:L751-L753* Indexed destination conflicts are deleted via the Assets service: $assets->deleteFoldersByIds($existingFolder->id); *src/controllers/AssetsController.php:L798-L798* Unindexed destination conflicts are deleted directly in the volume filesystem: $targetVolume->deleteDirectory(rtrim($destinationFolder->path, '/') . '/' . $folderToMove->name); *src/controllers/AssetsController.php:L815* Impact A user who cannot delete assets in a destination volume can still delete a destination folder and its c

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high
Published
2026-07-02
Last updated
2026-07-02
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-3w32-23wj-rxg3

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-50282coverage & exploitation statusNVD · CVE.org

Same CVEs, other sources

How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.

More from GitHub Security Advisories