Craft CMS Vulnerable to Unauthorized Folder Deletion (CVE-2026-50282)
A high-severity vulnerability (CVE-2026-50282) in Craft CMS allows an authenticated user to delete destination folders and their contents without explicit delete permissions during a forced folder move operation, enabling asset loss, breaking existing asset references, and causing operational disruption.
A high-severity vulnerability (CVE-2026-50282) has been identified in Craft CMS versions 4.x and 5.x, where an authenticated user can perform unauthorized deletion of destination folders during a forced move operation. Specifically, Craft CMS versions 5.0.0-RC1 through 5.9.20 and 4.0.0-RC1 through 4.17.13 are affected. The flaw resides in craft\controllers\AssetsController::actionMoveFolder(), which permits a folder to be overwritten at the destination if force=true is used, without properly verifying deleteAssets permission for the destination volume. This oversight allows an attacker with legitimate access but lacking explicit delete privileges to eliminate arbitrary destination folders and their contents, leading to data loss, broken asset references within entries and fields, and significant operational disruption for affected organizations utilizing Craft CMS.
Attack Chain
- An authenticated attacker logs into the Craft CMS administrative interface.
- The attacker identifies an existing asset folder,
MaliciousFolder, and a target destination parent folder,TargetDestination, where another legitimate folder (VictimFolder) with the same name asMaliciousFolderalready exists. - The attacker prepares a move operation for
MaliciousFolderintoTargetDestination. - The attacker crafts a request to
craft\controllers\AssetsController::actionMoveFolder()specifyingMaliciousFolderas the source,TargetDestinationas the destination, and includes theforce=trueparameter. - Despite the attacker lacking
deleteAssetspermission for the volume containingVictimFolderwithinTargetDestination, the Craft CMS application logic proceeds. - The application detects the name conflict and, due to the
force=trueparameter, initiates the deletion ofVictimFolderand all its contents usingassets->deleteFoldersByIds($existingFolder->id)ortargetVolume->deleteDirectory(). - Subsequently,
MaliciousFolderis moved intoTargetDestination. - The unauthorized deletion of
VictimFolderresults in data loss, broken asset references in site content, and operational disruption.
Impact
This vulnerability allows an authenticated user, even without explicit delete permissions on the destination volume, to force the deletion of folders and their contents. The direct consequence is asset loss, potentially affecting critical site content and media. This can lead to broken references throughout the Craft CMS instance, rendering parts of the website non-functional or displaying incorrect information. Organizations using affected versions of Craft CMS could face significant operational disruption, data recovery efforts, and reputational damage due to the loss of digital assets.
Recommendation
- Immediately apply available patches for Craft CMS, upgrading affected installations to versions
5.9.21or4.17.14or later to remediate CVE-2026-50282. - Review and strictly enforce user role permissions within Craft CMS, particularly for
deleteAssetsandcreateFolderson asset volumes, as this vulnerability allows an authorization bypass related to these. - Ensure comprehensive web server access logging is enabled for your Craft CMS instance. Specifically, monitor for
POSTrequests to/admin/actions/assets/move-folderthat include theforce=trueparameter, especially when originating from user accounts with limited asset management privileges.