CVE-2026-50283
We have identified an authorization issue in Craft CMS AssetsController::actionReplaceFile that can delete a source asset without source delete permission by supplying both assetId and sourceAssetId.
Description
Craft CMS’s craft\\controllers\\AssetsController::actionReplaceFile() supports replacing a target asset file using another existing asset as the source. The action loads:
- $assetToReplace from assetId
- $sourceAsset from sourceAssetId
It then enforces replace permissions using ($assetToReplace ?: $sourceAsset). When both IDs are provided, this expression resolves to the target asset so no permission check is performed against the source asset volume.
$this->requireVolumePermissionByAsset('replaceFiles', $assetToReplace ?: $sourceAsset);
$this->requirePeerVolumePermissionByAsset('replacePeerFiles', $assetToReplace ?: $sourceAsset);
*src/controllers/AssetsController.php:L433-L434*
In the branch where both assets are present, Craft copies the source file into the target and then deletes the source asset. There is no check for deleteAssets:<sourceVolumeUid> or deletePeerAssets:<sourceVolumeUid> for the source asset before deletion.
$assets->replaceAssetFile($assetToReplace, $tempPath, $assetToReplace->getFilename(), $sourceAsset->getMimeType());
Craft::$app->getElements()->deleteElement($sourceAsset);
*src/controllers/AssetsController.php:L462-L463*
Impact
An authenticated user who can replace files in one volume can delete assets in another volume where they do not have delete permission, as long as they can obtain a sourceAssetId. This can lead to unauthorized asset deletion, broken content references, and data loss.
⚡ Watch CVE-2026-50283
Get an email if CVE-2026-50283 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.27% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 18% of all EPSS-scored CVEs.
Advisory coverage (2)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-50283)