<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Craft CMS (&lt; 4.17.15) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/craft-cms--4.17.15/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:48:25 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/craft-cms--4.17.15/feed.xml" rel="self" type="application/rss+xml"/><item><title>Craft CMS Vulnerability Allows Low-Privilege Users to Delete Peer Assets</title><link>https://feed.craftedsignal.io/briefs/2026-07-craftcms-peer-asset-deletion/</link><pubDate>Fri, 03 Jul 2026 11:48:25 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-craftcms-peer-asset-deletion/</guid><description>A low-privilege user with `deleteAssets` permission in Craft CMS can bypass the `deletePeerAssets` check in the `AssetsController::actionDeleteFolder` function, allowing them to delete assets uploaded by other users (peer assets) within a shared volume, despite lacking the specific `deletePeerAssets` permission, leading to unauthorized data destruction.</description><content:encoded><![CDATA[<p>A critical vulnerability (CVE-2026-50284) has been identified in Craft CMS, affecting versions 4.x before 4.17.15 and 5.x before 5.9.22. This flaw, residing in the <code>AssetsController::actionDeleteFolder</code> function, allows low-privilege users with <code>deleteAssets</code> permission on a shared volume to bypass intended security controls. Specifically, the system fails to enforce <code>deletePeerAssets</code> checks when deleting folders, enabling these users to permanently destroy assets uploaded and owned by other users on the same volume. This bypasses Craft CMS's explicit permission model, which aims to distinguish between a user's ability to delete their own assets versus peer-owned assets. The vulnerability can lead to significant data integrity and availability issues, as peer assets can be deleted without recourse through the Craft CMS UI. The issue is similar to a previous fix in <code>actionMoveFolder</code> but was not applied to the delete function.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An administrator grants a low-privilege Craft CMS user <code>deleteAssets:&lt;volume-uid&gt;</code> permission for a specific asset volume, but explicitly <em>does not</em> grant <code>deletePeerAssets:&lt;volume-uid&gt;</code>.</li>
<li>The low-privilege user, intending to delete peer-owned assets, sends an authenticated HTTP POST request to the <code>/admin/assets/delete-folder</code> endpoint.</li>
<li>The request body includes the <code>folderId</code> of a folder located within the permitted volume and containing assets uploaded by other users.</li>
<li>The <code>AssetsController::actionDeleteFolder</code> function executes <code>requireVolumePermissionByFolder('deleteAssets', $folder)</code>, which successfully validates the user's <code>deleteAssets</code> permission.</li>
<li>The function proceeds to call <code>Assets::deleteFoldersByIds($folderId)</code>, which iterates through all descendant folders and assets within the target folder.</li>
<li>For each identified asset (including peer-owned ones), <code>Assets::deleteFoldersByIds</code> directly invokes <code>Craft::$app-&gt;getElements()-&gt;deleteElement($asset, true)</code>.</li>
<li>This direct invocation of <code>deleteElement</code> bypasses the <code>Asset::canDelete()</code> function, which contains the intended <code>deletePeerAssets</code> check for individual asset deletions.</li>
<li>Consequently, peer-owned assets within the specified folder are permanently removed from the underlying filesystem and become inaccessible via Craft CMS.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability directly impacts the data integrity and availability of shared asset volumes within Craft CMS environments. Any low-privilege user granted <code>deleteAssets</code> permission, without <code>deletePeerAssets</code>, can exploit this flaw to permanently destroy files uploaded by other users. This circumvents a fundamental aspect of Craft's permission model, designed to prevent unauthorized deletion of peer data. The consequence is potential data loss and disruption to content operations. While no information disclosure or remote code execution is involved, the inability to distinguish between owned and peer assets for deletion undermines administrative control and can lead to irreversible damage to an organization's digital assets. The impact is broad for any Craft CMS installation utilizing shared asset volumes and differential permissions.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-50284 by upgrading Craft CMS to version 4.17.15 (for 4.x) or 5.9.22 (for 5.x) or higher immediately to remediate the vulnerability.</li>
<li>Review all user permissions within Craft CMS, specifically focusing on the <code>deleteAssets</code> and <code>deletePeerAssets</code> permissions for shared asset volumes, to ensure they align with intended security policies.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>craft-cms</category><category>vulnerability</category><category>privilege-escalation</category><category>data-deletion</category><category>web-application</category></item></channel></rss>