CVE-2026-50282
We have identified an authorization issue in Craft CMS where a forced folder move can delete a conflicting destination folder without destination delete permission.
Description
Craft CMS’s craft\\controllers\\AssetsController::actionMoveFolder() supports moving an asset folder into a destination parent folder. If a folder with the same name already exists at the destination, the action can be called with force=true to overwrite the destination.
The permission checks for this action allow:
- deleteAssets:<sourceVolumeUid> for the folder being moved
- createFolders:<destVolumeUid> for the destination parent folder
- saveAssets:<destVolumeUid> for the destination parent folder
The action does not require deleteAssets on the destination volume or destination conflict folder. When force=true and a name conflict exists, the code deletes the destination folder to resolve the conflict.
$this->requireVolumePermissionByFolder('deleteAssets', $folderToMove);
$this->requireVolumePermissionByFolder('createFolders', $destinationFolder);
$this->requireVolumePermissionByFolder('saveAssets', $destinationFolder);
*src/controllers/AssetsController.php:L751-L753*
Indexed destination conflicts are deleted via the Assets service:
$assets->deleteFoldersByIds($existingFolder->id);
*src/controllers/AssetsController.php:L798-L798*
Unindexed destination conflicts are deleted directly in the volume filesystem:
$targetVolume->deleteDirectory(rtrim($destinationFolder->path, '/') . '/' . $folderToMove->name);
*src/controllers/AssetsController.php:L815*
Impact
A user who cannot delete assets in a destination volume can still delete a destination folder and its c
⚡ Watch CVE-2026-50282
Get an email if CVE-2026-50282 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.21% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 11% of all EPSS-scored CVEs.
Advisory coverage (2)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-50282)