{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/cms--5.0.0-rc1--5.9.18/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["cms (\u003e= 5.0.0-RC1, \u003c 5.9.18)"],"_cs_severities":["high"],"_cs_tags":["information-disclosure","web-application","craftcms"],"_cs_type":"advisory","_cs_vendors":["craftcms"],"content_html":"\u003cp\u003eCraft CMS versions 5.0.0-RC1 prior to 5.9.18 contain an information disclosure vulnerability in the \u003ccode\u003eAssetsController::actionShowInFolder()\u003c/code\u003e method. This flaw allows any authenticated control panel user, regardless of their volume permissions, to enumerate asset filenames and folder structures of all volumes within the Craft CMS instance. The vulnerability arises from the method fetching asset data and returning its folder hierarchy without properly validating the requesting user\u0026rsquo;s permissions for the asset\u0026rsquo;s volume. This issue was introduced shortly before a patch wave addressing similar vulnerabilities in other \u003ccode\u003eAssetsController\u003c/code\u003e actions, suggesting an oversight in the initial patch implementation. Successful exploitation allows attackers to gain unauthorized insight into sensitive asset organization, which can then be leveraged for subsequent attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Craft CMS control panel with minimal permissions (accessCp only).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting the \u003ccode\u003eAssetsController::actionShowInFolder()\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes an \u003ccode\u003eassetId\u003c/code\u003e parameter with the ID of an asset residing in a protected volume.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eAssetsController::actionShowInFolder()\u003c/code\u003e method processes the request and fetches the asset information without validating volume-level permissions.\u003c/li\u003e\n\u003cli\u003eThe system retrieves the asset\u0026rsquo;s filename and complete folder hierarchy, including volume handle, volume UID, folder names, folder UIDs, and folder URI paths.\u003c/li\u003e\n\u003cli\u003eThe asset data is encoded as a JSON response.\u003c/li\u003e\n\u003cli\u003eThe JSON response is sent back to the attacker, revealing sensitive structural data about the asset and its parent volume.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized knowledge of asset filenames and folder structures, potentially enabling targeted attacks to access the exposed files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows any authenticated user with access to the Craft CMS control panel to discover filenames and folder structures of assets in volumes they should not have access to. This exposure of sensitive volume structures, such as private document repositories or confidential media, can lead to unauthorized access to internal files and potentially further compromise of the system. An attacker with knowledge of a private asset\u0026rsquo;s filename and folder path can use this information to launch more targeted attacks, such as attempting to directly access the file through other vulnerabilities or misconfigurations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Craft CMS to version 5.9.18 or later to patch the vulnerability (CVE-2026-44012).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Craft CMS Unauthorized Asset Folder Structure Access\u003c/code\u003e to detect unauthorized access attempts to asset folder structures via the \u003ccode\u003eAssetsController::actionShowInFolder\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eReview and enforce strict access control policies within Craft CMS, ensuring that users only have the minimum necessary permissions to access volumes and assets.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T17:54:47Z","date_published":"2026-05-06T17:54:47Z","id":"/briefs/2026-05-craftcms-infoleak/","summary":"Craft CMS versions 5.0.0-RC1 before 5.9.18 are vulnerable to information disclosure where an authenticated control panel user with only accessCp permission can discover filenames and the complete folder structure of assets in unauthorized volumes by supplying arbitrary asset IDs to AssetsController::actionShowInFolder(), exposing sensitive volume structures and enabling targeted follow-up attacks.","title":"Craft CMS Missing Volume Permission Check Allows Information Disclosure","url":"https://feed.craftedsignal.io/briefs/2026-05-craftcms-infoleak/"}],"language":"en","title":"CraftedSignal Threat Feed — Cms (\u003e= 5.0.0-RC1, \u003c 5.9.18)","version":"https://jsonfeed.org/version/1.1"}