CVE-2026-44012: CWE-862: Missing Authorization in craftcms cms
Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. Any authenticated CP user — even one with zero volume permissions — can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs. This vulnerability is fixed in 5.9.18.
AI Analysis
Technical Summary
The vulnerability in Craft CMS affects versions 5.0.0-RC1 through 5.9.17. The AssetsController::actionShowInFolder() method does not verify whether the requesting user has the necessary viewAssets or viewPeerAssets permissions on the asset’s volume before returning asset metadata. Consequently, any authenticated user with control panel access can enumerate asset filenames and folder structures across volumes by providing arbitrary asset IDs. This unauthorized information disclosure is classified under CWE-862 (Missing Authorization). The flaw was addressed and fixed in Craft CMS version 5.9.18.
Potential Impact
An attacker with any authenticated control panel user account can enumerate asset filenames and the complete folder hierarchy of any volume, including sensitive metadata such as volume handles, UIDs, folder names, and URI paths. This unauthorized information disclosure could aid further reconnaissance or targeted attacks within the CMS environment. There is no indication of privilege escalation or remote code execution from this vulnerability alone.
Mitigation Recommendations
A fixed version of Craft CMS is available as of 5.9.18. Users should upgrade to version 5.9.18 or later to remediate this vulnerability. Since this is not a cloud service, remediation requires applying the official update. Patch status is confirmed by the vendor advisory stating the issue is fixed in 5.9.18. No additional mitigation steps are indicated.
CVE-2026-44012: CWE-862: Missing Authorization in craftcms cms
Description
Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. Any authenticated CP user — even one with zero volume permissions — can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs. This vulnerability is fixed in 5.9.18.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Craft CMS affects versions 5.0.0-RC1 through 5.9.17. The AssetsController::actionShowInFolder() method does not verify whether the requesting user has the necessary viewAssets or viewPeerAssets permissions on the asset’s volume before returning asset metadata. Consequently, any authenticated user with control panel access can enumerate asset filenames and folder structures across volumes by providing arbitrary asset IDs. This unauthorized information disclosure is classified under CWE-862 (Missing Authorization). The flaw was addressed and fixed in Craft CMS version 5.9.18.
Potential Impact
An attacker with any authenticated control panel user account can enumerate asset filenames and the complete folder hierarchy of any volume, including sensitive metadata such as volume handles, UIDs, folder names, and URI paths. This unauthorized information disclosure could aid further reconnaissance or targeted attacks within the CMS environment. There is no indication of privilege escalation or remote code execution from this vulnerability alone.
Mitigation Recommendations
A fixed version of Craft CMS is available as of 5.9.18. Users should upgrade to version 5.9.18 or later to remediate this vulnerability. Since this is not a cloud service, remediation requires applying the official update. Patch status is confirmed by the vendor advisory stating the issue is fixed in 5.9.18. No additional mitigation steps are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-04T21:24:36.505Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0392cfcbff5d861018bb85
Added to database: 5/12/2026, 8:51:27 PM
Last enriched: 5/12/2026, 9:07:00 PM
Last updated: 5/13/2026, 4:49:21 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.