<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Craft CMS (&gt;= 5.0.0-RC1, &lt; 5.9.21) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/craft-cms--5.0.0-rc1--5.9.21/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:30:48 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/craft-cms--5.0.0-rc1--5.9.21/feed.xml" rel="self" type="application/rss+xml"/><item><title>Craft CMS Vulnerable to Unauthorized Folder Deletion (CVE-2026-50282)</title><link>https://feed.craftedsignal.io/briefs/2026-07-craftcms-unauth-folder-delete/</link><pubDate>Fri, 03 Jul 2026 11:30:48 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-craftcms-unauth-folder-delete/</guid><description>A high-severity vulnerability (CVE-2026-50282) in Craft CMS allows an authenticated user to delete destination folders and their contents without explicit delete permissions during a forced folder move operation, enabling asset loss, breaking existing asset references, and causing operational disruption.</description><content:encoded><![CDATA[<p>A high-severity vulnerability (CVE-2026-50282) has been identified in Craft CMS versions 4.x and 5.x, where an authenticated user can perform unauthorized deletion of destination folders during a forced move operation. Specifically, Craft CMS versions <code>5.0.0-RC1</code> through <code>5.9.20</code> and <code>4.0.0-RC1</code> through <code>4.17.13</code> are affected. The flaw resides in <code>craft\controllers\AssetsController::actionMoveFolder()</code>, which permits a folder to be overwritten at the destination if <code>force=true</code> is used, without properly verifying <code>deleteAssets</code> permission for the destination volume. This oversight allows an attacker with legitimate access but lacking explicit delete privileges to eliminate arbitrary destination folders and their contents, leading to data loss, broken asset references within entries and fields, and significant operational disruption for affected organizations utilizing Craft CMS.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated attacker logs into the Craft CMS administrative interface.</li>
<li>The attacker identifies an existing asset folder, <code>MaliciousFolder</code>, and a target destination parent folder, <code>TargetDestination</code>, where another legitimate folder (<code>VictimFolder</code>) with the same name as <code>MaliciousFolder</code> already exists.</li>
<li>The attacker prepares a move operation for <code>MaliciousFolder</code> into <code>TargetDestination</code>.</li>
<li>The attacker crafts a request to <code>craft\controllers\AssetsController::actionMoveFolder()</code> specifying <code>MaliciousFolder</code> as the source, <code>TargetDestination</code> as the destination, and includes the <code>force=true</code> parameter.</li>
<li>Despite the attacker lacking <code>deleteAssets</code> permission for the volume containing <code>VictimFolder</code> within <code>TargetDestination</code>, the Craft CMS application logic proceeds.</li>
<li>The application detects the name conflict and, due to the <code>force=true</code> parameter, initiates the deletion of <code>VictimFolder</code> and all its contents using <code>assets-&gt;deleteFoldersByIds($existingFolder-&gt;id)</code> or <code>targetVolume-&gt;deleteDirectory()</code>.</li>
<li>Subsequently, <code>MaliciousFolder</code> is moved into <code>TargetDestination</code>.</li>
<li>The unauthorized deletion of <code>VictimFolder</code> results in data loss, broken asset references in site content, and operational disruption.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability allows an authenticated user, even without explicit delete permissions on the destination volume, to force the deletion of folders and their contents. The direct consequence is asset loss, potentially affecting critical site content and media. This can lead to broken references throughout the Craft CMS instance, rendering parts of the website non-functional or displaying incorrect information. Organizations using affected versions of Craft CMS could face significant operational disruption, data recovery efforts, and reputational damage due to the loss of digital assets.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately apply available patches for Craft CMS, upgrading affected installations to versions <code>5.9.21</code> or <code>4.17.14</code> or later to remediate CVE-2026-50282.</li>
<li>Review and strictly enforce user role permissions within Craft CMS, particularly for <code>deleteAssets</code> and <code>createFolders</code> on asset volumes, as this vulnerability allows an authorization bypass related to these.</li>
<li>Ensure comprehensive web server access logging is enabled for your Craft CMS instance. Specifically, monitor for <code>POST</code> requests to <code>/admin/actions/assets/move-folder</code> that include the <code>force=true</code> parameter, especially when originating from user accounts with limited asset management privileges.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>authorization-bypass</category><category>cms</category><category>craft-cms</category><category>webserver</category><category>cve</category></item></channel></rss>