CVE-2026-32262 is a path traversal vulnerability classified under CWE-22 found in Craft CMS, a popular content management system. The flaw exists in the AssetsController->replaceFile() method, where the targetFilename parameter is used unsanitized in a deleteFile() operation before the system applies filename sanitization during the save process. This improper handling allows an authenticated user with the replaceFiles permission to inject '../' sequences into the filename, enabling deletion of arbitrary files within the same filesystem root. The vulnerability affects Craft CMS versions from 4.0.0-RC1 up to but not including 4.17.5, and from 5.0.0-RC1 up to but not including 5.9.11. Since the vulnerability only impacts local filesystems, remote or cloud storage configurations are not affected. Exploitation does not require additional user interaction beyond authentication and appropriate permissions, making it a significant risk for insiders or compromised accounts. The vulnerability could lead to deletion of critical files outside the intended asset directories, potentially causing data loss, service disruption, or further exploitation opportunities. The issue has been addressed in Craft CMS versions 4.17.5 and 5.9.11 by properly sanitizing the filename before deletion operations.

The primary impact of CVE-2026-32262 is unauthorized deletion of arbitrary files within the same filesystem root by an authenticated user with replaceFiles permission. This can lead to partial or complete loss of critical data, disruption of website or CMS functionality, and potential downtime. Since the vulnerability allows deletion beyond the intended asset directories, attackers could remove configuration files, logs, or other sensitive files, which may further compromise system integrity or complicate recovery efforts. Organizations relying on Craft CMS for content management and digital presence could face operational interruptions, reputational damage, and increased recovery costs. The risk is heightened in environments where multiple volumes or directories share the same filesystem root, expanding the scope of potential damage. Although exploitation requires authentication and specific permissions, compromised or malicious insiders could leverage this vulnerability to cause significant harm. No known exploits are currently reported in the wild, but the medium CVSS score indicates a moderate risk that should be addressed promptly.

To mitigate CVE-2026-32262, organizations should upgrade Craft CMS installations to versions 4.17.5 or 5.9.11 or later, where the vulnerability is patched. Until upgrades are applied, restrict replaceFiles permissions strictly to trusted users and regularly audit permission assignments to minimize risk. Implement monitoring and alerting on file deletion activities within the CMS filesystem to detect suspicious behavior early. Employ filesystem-level protections such as access control lists (ACLs) to limit the ability of the CMS process to delete files outside designated asset directories. Consider isolating CMS assets on dedicated volumes or partitions to contain potential damage from path traversal exploits. Regularly back up critical files and configurations to enable rapid recovery in case of unauthorized deletions. Additionally, review and harden authentication mechanisms to prevent account compromise, as exploitation requires authenticated access with specific permissions. Finally, conduct security awareness training for CMS administrators and users with elevated permissions to reduce insider threat risks.