CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-50282

highcovered by 2 sourcesfirst seen 2026-07-02
We have identified an authorization issue in Craft CMS where a forced folder move can delete a conflicting destination folder without destination delete permission. Description Craft CMS’s craft\\controllers\\AssetsController::actionMoveFolder() supports moving an asset folder into a destination parent folder. If a folder with the same name already exists at the destination, the action can be called with force=true to overwrite the destination. The permission checks for this action allow: - deleteAssets:<sourceVolumeUid> for the folder being moved - createFolders:<destVolumeUid> for the destination parent folder - saveAssets:<destVolumeUid> for the destination parent folder The action does not require deleteAssets on the destination volume or destination conflict folder. When force=true and a name conflict exists, the code deletes the destination folder to resolve the conflict. $this->requireVolumePermissionByFolder('deleteAssets', $folderToMove); $this->requireVolumePermissionByFolder('createFolders', $destinationFolder); $this->requireVolumePermissionByFolder('saveAssets', $destinationFolder); *src/controllers/AssetsController.php:L751-L753* Indexed destination conflicts are deleted via the Assets service: $assets->deleteFoldersByIds($existingFolder->id); *src/controllers/AssetsController.php:L798-L798* Unindexed destination conflicts are deleted directly in the volume filesystem: $targetVolume->deleteDirectory(rtrim($destinationFolder->path, '/') . '/' . $folderToMove->name); *src/controllers/AssetsController.php:L815* Impact A user who cannot delete assets in a destination volume can still delete a destination folder and its c

⚡ Watch CVE-2026-50282

Get an email if CVE-2026-50282 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-50282

CVE.org record

Embed the live status

CVE-2026-50282 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-50282 status](https://www.csirts.com/badge/CVE-2026-50282)](https://www.csirts.com/cve/CVE-2026-50282)