{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/craft-cms--5.9.22/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-50284"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Craft CMS (\u003c 5.9.22)","Craft CMS (\u003c 4.17.15)"],"_cs_severities":["high"],"_cs_tags":["craft-cms","vulnerability","privilege-escalation","data-deletion","web-application"],"_cs_type":"advisory","_cs_vendors":["Craft CMS"],"content_html":"\u003cp\u003eA critical vulnerability (CVE-2026-50284) has been identified in Craft CMS, affecting versions 4.x before 4.17.15 and 5.x before 5.9.22. This flaw, residing in the \u003ccode\u003eAssetsController::actionDeleteFolder\u003c/code\u003e function, allows low-privilege users with \u003ccode\u003edeleteAssets\u003c/code\u003e permission on a shared volume to bypass intended security controls. Specifically, the system fails to enforce \u003ccode\u003edeletePeerAssets\u003c/code\u003e checks when deleting folders, enabling these users to permanently destroy assets uploaded and owned by other users on the same volume. This bypasses Craft CMS's explicit permission model, which aims to distinguish between a user's ability to delete their own assets versus peer-owned assets. The vulnerability can lead to significant data integrity and availability issues, as peer assets can be deleted without recourse through the Craft CMS UI. The issue is similar to a previous fix in \u003ccode\u003eactionMoveFolder\u003c/code\u003e but was not applied to the delete function.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn administrator grants a low-privilege Craft CMS user \u003ccode\u003edeleteAssets:\u0026lt;volume-uid\u0026gt;\u003c/code\u003e permission for a specific asset volume, but explicitly \u003cem\u003edoes not\u003c/em\u003e grant \u003ccode\u003edeletePeerAssets:\u0026lt;volume-uid\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe low-privilege user, intending to delete peer-owned assets, sends an authenticated HTTP POST request to the \u003ccode\u003e/admin/assets/delete-folder\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request body includes the \u003ccode\u003efolderId\u003c/code\u003e of a folder located within the permitted volume and containing assets uploaded by other users.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eAssetsController::actionDeleteFolder\u003c/code\u003e function executes \u003ccode\u003erequireVolumePermissionByFolder('deleteAssets', $folder)\u003c/code\u003e, which successfully validates the user's \u003ccode\u003edeleteAssets\u003c/code\u003e permission.\u003c/li\u003e\n\u003cli\u003eThe function proceeds to call \u003ccode\u003eAssets::deleteFoldersByIds($folderId)\u003c/code\u003e, which iterates through all descendant folders and assets within the target folder.\u003c/li\u003e\n\u003cli\u003eFor each identified asset (including peer-owned ones), \u003ccode\u003eAssets::deleteFoldersByIds\u003c/code\u003e directly invokes \u003ccode\u003eCraft::$app-\u0026gt;getElements()-\u0026gt;deleteElement($asset, true)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThis direct invocation of \u003ccode\u003edeleteElement\u003c/code\u003e bypasses the \u003ccode\u003eAsset::canDelete()\u003c/code\u003e function, which contains the intended \u003ccode\u003edeletePeerAssets\u003c/code\u003e check for individual asset deletions.\u003c/li\u003e\n\u003cli\u003eConsequently, peer-owned assets within the specified folder are permanently removed from the underlying filesystem and become inaccessible via Craft CMS.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability directly impacts the data integrity and availability of shared asset volumes within Craft CMS environments. Any low-privilege user granted \u003ccode\u003edeleteAssets\u003c/code\u003e permission, without \u003ccode\u003edeletePeerAssets\u003c/code\u003e, can exploit this flaw to permanently destroy files uploaded by other users. This circumvents a fundamental aspect of Craft's permission model, designed to prevent unauthorized deletion of peer data. The consequence is potential data loss and disruption to content operations. While no information disclosure or remote code execution is involved, the inability to distinguish between owned and peer assets for deletion undermines administrative control and can lead to irreversible damage to an organization's digital assets. The impact is broad for any Craft CMS installation utilizing shared asset volumes and differential permissions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-50284 by upgrading Craft CMS to version 4.17.15 (for 4.x) or 5.9.22 (for 5.x) or higher immediately to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eReview all user permissions within Craft CMS, specifically focusing on the \u003ccode\u003edeleteAssets\u003c/code\u003e and \u003ccode\u003edeletePeerAssets\u003c/code\u003e permissions for shared asset volumes, to ensure they align with intended security policies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:48:25Z","date_published":"2026-07-03T11:48:25Z","id":"https://feed.craftedsignal.io/briefs/2026-07-craftcms-peer-asset-deletion/","summary":"A low-privilege user with `deleteAssets` permission in Craft CMS can bypass the `deletePeerAssets` check in the `AssetsController::actionDeleteFolder` function, allowing them to delete assets uploaded by other users (peer assets) within a shared volume, despite lacking the specific `deletePeerAssets` permission, leading to unauthorized data destruction.","title":"Craft CMS Vulnerability Allows Low-Privilege Users to Delete Peer Assets","url":"https://feed.craftedsignal.io/briefs/2026-07-craftcms-peer-asset-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Craft CMS (\u003c 5.9.22)","version":"https://jsonfeed.org/version/1.1"}