GHSA-3w32-23wj-rxg3: Craft CMS Vulnerable to Unauthorized Deletion of Destination Folders During Forced Moves
We have identified an authorization issue in Craft CMS where a forced folder move can delete a conflicting destination folder without destination delete permission.
Description
Craft CMS’s craft\\controllers\\AssetsController::actionMoveFolder() supports moving an asset folder into a destination parent folder. If a folder with the same name already exists at the destination, the action can be called with force=true to overwrite the destination.
The permission checks for this action allow:
- deleteAssets:<sourceVolumeUid> for the folder being moved
- createFolders:<destVolumeUid> for the destination parent folder
- saveAssets:<destVolumeUid> for the destination parent folder
The action does not require deleteAssets on the destination volume or destination conflict folder. When force=true and a name conflict exists, the code deletes the destination folder to resolve the conflict.
$this->requireVolumePermissionByFolder('deleteAssets', $folderToMove);
$this->requireVolumePermissionByFolder('createFolders', $destinationFolder);
$this->requireVolumePermissionByFolder('saveAssets', $destinationFolder);
*src/controllers/AssetsController.php:L751-L753*
Indexed destination conflicts are deleted via the Assets service:
$assets->deleteFoldersByIds($existingFolder->id);
*src/controllers/AssetsController.php:L798-L798*
Unindexed destination conflicts are deleted directly in the volume filesystem:
$targetVolume->deleteDirectory(rtrim($destinationFolder->path, '/') . '/' . $folderToMove->name);
*src/controllers/AssetsController.php:L815*
Impact
A user who cannot delete assets in a destination volume can still delete a destination folder and its c
Details
Original advisory: https://github.com/advisories/GHSA-3w32-23wj-rxg3
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-502820.21% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 11% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-50282 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10