Product
A low-privilege user with `deleteAssets` permission in Craft CMS can bypass the `deletePeerAssets` check in the `AssetsController::actionDeleteFolder` function, allowing them to delete assets uploaded by other users (peer assets) within a shared volume, despite lacking the specific `deletePeerAssets` permission, leading to unauthorized data destruction.