CVE-2026-32262 is a path traversal vulnerability classified under CWE-22, affecting Craft CMS, a popular content management system. The flaw exists in the AssetsController->replaceFile() method, specifically in how the targetFilename parameter is handled. This parameter is used unsanitized in a deleteFile() call before the system applies the Assets::prepareAssetName() sanitization during the save operation. An authenticated user with the replaceFiles permission can exploit this by injecting '../' sequences into the targetFilename, enabling deletion of arbitrary files within the same filesystem root. This means that files outside the intended asset directories can be deleted if they reside on the same filesystem, potentially affecting other volumes or folders. The vulnerability is limited to local filesystems and does not extend to remote or cloud storage. Exploitation requires authentication with replaceFiles permission but no additional user interaction or elevated privileges. The issue was present in Craft CMS versions from 4.0.0-RC1 up to but not including 4.17.5, and from 5.0.0-RC1 up to but not including 5.9.11. The vendor has patched this vulnerability in versions 4.17.5 and 5.9.11. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond replaceFiles permission, no user interaction, and limited impact on availability. No known exploits are currently reported in the wild.

The primary impact of this vulnerability is unauthorized deletion of files within the same filesystem root by an authenticated user with replaceFiles permission. This can lead to loss of critical files, potential disruption of website content or functionality, and possible denial of service if essential files are deleted. While the vulnerability does not allow arbitrary file creation or modification, the ability to delete files outside the intended asset directories can compromise data integrity and availability. Organizations relying on Craft CMS for content management may face operational disruptions, data loss, and increased recovery costs. Attackers with insider access or compromised credentials could leverage this flaw to escalate damage. Since the vulnerability requires authentication with specific permissions, the risk is somewhat mitigated by proper access controls, but insider threats or compromised accounts remain a concern. The scope is limited to local filesystems, so environments using remote or cloud storage for assets are less affected. Overall, the impact is moderate but significant for organizations with sensitive or critical data stored on the same filesystem as Craft CMS assets.

1. Upgrade Craft CMS to version 4.17.5 or later, or 5.9.11 or later, where the vulnerability is patched. 2. Restrict replaceFiles permission strictly to trusted and necessary users only, minimizing the number of accounts that can exploit this vulnerability. 3. Implement strong authentication mechanisms and monitor accounts with replaceFiles permission for suspicious activity. 4. Employ filesystem-level access controls and segmentation to isolate critical files and directories from the CMS asset directories, reducing the risk of unauthorized deletion. 5. Regularly back up website files and assets to enable rapid recovery in case of file deletion. 6. Conduct periodic security audits and code reviews to detect improper input sanitization or similar vulnerabilities. 7. Consider deploying runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block path traversal patterns in HTTP requests targeting the replaceFile endpoint. 8. Educate administrators and developers about the risks of path traversal and the importance of input validation.