CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-50284

highcovered by 2 sourcesfirst seen 2026-07-01
Summary AssetsController::actionDeleteFolder() only requires the deleteAssets:<volume-uid> permission for the target folder. It never enforces deletePeerAssets:<volume-uid>, even though Assets::deleteFoldersByIds() cascades deletion to every descendant folder and every asset inside, regardless of who uploaded them. A low-privilege user who has been granted folder-management rights on a shared volume can therefore destroy assets uploaded by other users (peer assets), bypassing the per-asset peer-permission check that the sibling actionDeleteAsset endpoint correctly applies. This is the same bug class that was just fixed in actionMoveFolder as GHSA-3w32-23wj-rxg3 (commit 05c2042, Apr 23 2026); the fix added requireVolumePermissionByFolder('deletePeerAssets', …) and savePeerAssets checks to the move endpoint but did not propagate to the delete-folder endpoint. Details src/controllers/AssetsController.php:552-569: public function actionDeleteFolder(): Response { $this->requireAcceptsJson(); $folderId = $this->request->getRequiredBodyParam('folderId'); $assets = Craft::$app->getAssets(); $folder = $assets->getFolderById($folderId); if (!$folder) { throw new BadRequestHttpException('The folder cannot be found'); } // Check if it's possible to delete objects in the target volume. $this->requireVolumePermissionByFolder('deleteAssets', $folder); // <-- only checks deleteAssets $assets->deleteFoldersByIds($folderId); return $this->asSuccess(); } requireVolumePermissionByFolder() (src/controllers/AssetsControllerTrait.php:75-88) only resolves to a single requirePermission('deleteAssets:<vol-uid>') call. The peer-equivalent helper (requirePeerVolumePermissionByAsset) is never invoked because there is no folder-level peer helper that iterates the folder's contents. Assets::deleteFoldersByIds() (src/services/Assets.php:311-349) then enumerates the folder + every descend

⚡ Watch CVE-2026-50284

Get an email if CVE-2026-50284 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-50284

CVE.org record

Embed the live status

CVE-2026-50284 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-50284 status](https://www.csirts.com/badge/CVE-2026-50284)](https://www.csirts.com/cve/CVE-2026-50284)