CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-qh45-9g5p-m2v4: Craft CMS: Unauthorized Deletion of Source Assets During File Replacement

mediumCVE-2026-50283
We have identified an authorization issue in Craft CMS AssetsController::actionReplaceFile that can delete a source asset without source delete permission by supplying both assetId and sourceAssetId. Description Craft CMS’s craft\\controllers\\AssetsController::actionReplaceFile() supports replacing a target asset file using another existing asset as the source. The action loads: - $assetToReplace from assetId - $sourceAsset from sourceAssetId It then enforces replace permissions using ($assetToReplace ?: $sourceAsset). When both IDs are provided, this expression resolves to the target asset so no permission check is performed against the source asset volume. $this->requireVolumePermissionByAsset('replaceFiles', $assetToReplace ?: $sourceAsset); $this->requirePeerVolumePermissionByAsset('replacePeerFiles', $assetToReplace ?: $sourceAsset); *src/controllers/AssetsController.php:L433-L434* In the branch where both assets are present, Craft copies the source file into the target and then deletes the source asset. There is no check for deleteAssets:<sourceVolumeUid> or deletePeerAssets:<sourceVolumeUid> for the source asset before deletion. $assets->replaceAssetFile($assetToReplace, $tempPath, $assetToReplace->getFilename(), $sourceAsset->getMimeType()); Craft::$app->getElements()->deleteElement($sourceAsset); *src/controllers/AssetsController.php:L462-L463* Impact An authenticated user who can replace files in one volume can delete assets in another volume where they do not have delete permission, as long as they can obtain a sourceAssetId. This can lead to unauthorized asset deletion, broken content references, and data loss.

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium
Published
2026-07-02
Last updated
2026-07-02
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-qh45-9g5p-m2v4

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-50283coverage & exploitation statusNVD · CVE.org

Same CVEs, other sources

How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.

More from GitHub Security Advisories