{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/craft-cms--4.0.0-rc1--4.17.14/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-50282"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Craft CMS (\u003e= 5.0.0-RC1, \u003c 5.9.21)","Craft CMS (\u003e= 4.0.0-RC1, \u003c 4.17.14)"],"_cs_severities":["high"],"_cs_tags":["authorization-bypass","cms","craft-cms","webserver","cve"],"_cs_type":"advisory","_cs_vendors":["Craft CMS"],"content_html":"\u003cp\u003eA high-severity vulnerability (CVE-2026-50282) has been identified in Craft CMS versions 4.x and 5.x, where an authenticated user can perform unauthorized deletion of destination folders during a forced move operation. Specifically, Craft CMS versions \u003ccode\u003e5.0.0-RC1\u003c/code\u003e through \u003ccode\u003e5.9.20\u003c/code\u003e and \u003ccode\u003e4.0.0-RC1\u003c/code\u003e through \u003ccode\u003e4.17.13\u003c/code\u003e are affected. The flaw resides in \u003ccode\u003ecraft\\controllers\\AssetsController::actionMoveFolder()\u003c/code\u003e, which permits a folder to be overwritten at the destination if \u003ccode\u003eforce=true\u003c/code\u003e is used, without properly verifying \u003ccode\u003edeleteAssets\u003c/code\u003e permission for the destination volume. This oversight allows an attacker with legitimate access but lacking explicit delete privileges to eliminate arbitrary destination folders and their contents, leading to data loss, broken asset references within entries and fields, and significant operational disruption for affected organizations utilizing Craft CMS.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker logs into the Craft CMS administrative interface.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an existing asset folder, \u003ccode\u003eMaliciousFolder\u003c/code\u003e, and a target destination parent folder, \u003ccode\u003eTargetDestination\u003c/code\u003e, where another legitimate folder (\u003ccode\u003eVictimFolder\u003c/code\u003e) with the same name as \u003ccode\u003eMaliciousFolder\u003c/code\u003e already exists.\u003c/li\u003e\n\u003cli\u003eThe attacker prepares a move operation for \u003ccode\u003eMaliciousFolder\u003c/code\u003e into \u003ccode\u003eTargetDestination\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to \u003ccode\u003ecraft\\controllers\\AssetsController::actionMoveFolder()\u003c/code\u003e specifying \u003ccode\u003eMaliciousFolder\u003c/code\u003e as the source, \u003ccode\u003eTargetDestination\u003c/code\u003e as the destination, and includes the \u003ccode\u003eforce=true\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eDespite the attacker lacking \u003ccode\u003edeleteAssets\u003c/code\u003e permission for the volume containing \u003ccode\u003eVictimFolder\u003c/code\u003e within \u003ccode\u003eTargetDestination\u003c/code\u003e, the Craft CMS application logic proceeds.\u003c/li\u003e\n\u003cli\u003eThe application detects the name conflict and, due to the \u003ccode\u003eforce=true\u003c/code\u003e parameter, initiates the deletion of \u003ccode\u003eVictimFolder\u003c/code\u003e and all its contents using \u003ccode\u003eassets-\u0026gt;deleteFoldersByIds($existingFolder-\u0026gt;id)\u003c/code\u003e or \u003ccode\u003etargetVolume-\u0026gt;deleteDirectory()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eSubsequently, \u003ccode\u003eMaliciousFolder\u003c/code\u003e is moved into \u003ccode\u003eTargetDestination\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe unauthorized deletion of \u003ccode\u003eVictimFolder\u003c/code\u003e results in data loss, broken asset references in site content, and operational disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows an authenticated user, even without explicit delete permissions on the destination volume, to force the deletion of folders and their contents. The direct consequence is asset loss, potentially affecting critical site content and media. This can lead to broken references throughout the Craft CMS instance, rendering parts of the website non-functional or displaying incorrect information. Organizations using affected versions of Craft CMS could face significant operational disruption, data recovery efforts, and reputational damage due to the loss of digital assets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately apply available patches for Craft CMS, upgrading affected installations to versions \u003ccode\u003e5.9.21\u003c/code\u003e or \u003ccode\u003e4.17.14\u003c/code\u003e or later to remediate CVE-2026-50282.\u003c/li\u003e\n\u003cli\u003eReview and strictly enforce user role permissions within Craft CMS, particularly for \u003ccode\u003edeleteAssets\u003c/code\u003e and \u003ccode\u003ecreateFolders\u003c/code\u003e on asset volumes, as this vulnerability allows an authorization bypass related to these.\u003c/li\u003e\n\u003cli\u003eEnsure comprehensive web server access logging is enabled for your Craft CMS instance. Specifically, monitor for \u003ccode\u003ePOST\u003c/code\u003e requests to \u003ccode\u003e/admin/actions/assets/move-folder\u003c/code\u003e that include the \u003ccode\u003eforce=true\u003c/code\u003e parameter, especially when originating from user accounts with limited asset management privileges.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:30:48Z","date_published":"2026-07-03T11:30:48Z","id":"https://feed.craftedsignal.io/briefs/2026-07-craftcms-unauth-folder-delete/","summary":"A high-severity vulnerability (CVE-2026-50282) in Craft CMS allows an authenticated user to delete destination folders and their contents without explicit delete permissions during a forced folder move operation, enabling asset loss, breaking existing asset references, and causing operational disruption.","title":"Craft CMS Vulnerable to Unauthorized Folder Deletion (CVE-2026-50282)","url":"https://feed.craftedsignal.io/briefs/2026-07-craftcms-unauth-folder-delete/"}],"language":"en","title":"CraftedSignal Threat Feed - Craft CMS (\u003e= 4.0.0-RC1, \u003c 4.17.14)","version":"https://jsonfeed.org/version/1.1"}