CVE-2026-50284: CWE-862: Missing Authorization in craftcms cms
Craft CMS versions 4.0.0-RC1 through 4.17.14 and 5.0.0-RC1 through 5.9.21 contain an authorization vulnerability in the AssetsController::actionDeleteFolder() method. This method only requires the deleteAssets:<volume-uid> permission and does not enforce the deletePeerAssets:<volume-uid> permission, allowing users with folder-management rights to delete assets uploaded by other users. The issue has been fixed in versions 4.17.15 and 5.9.22.
AI Analysis
Technical Summary
In affected versions of Craft CMS, the actionDeleteFolder() endpoint improperly enforces permissions by requiring only deleteAssets:<volume-uid> and not deletePeerAssets:<volume-uid>. Because the deletion cascades to all descendant folders and assets regardless of uploader privileges, a low-privilege user with folder-management rights can delete peer assets without proper authorization. This bypasses the per-asset peer-permission checks that are correctly applied in the sibling actionDeleteAsset endpoint. The vulnerability is identified as CWE-862 (Missing Authorization) and has a CVSS 4.0 score of 7.1, indicating high severity. The issue is fixed in Craft CMS versions 4.17.15 and 5.9.22.
Potential Impact
An attacker with low privileges who has folder-management rights on a shared volume can delete assets uploaded by other users, bypassing intended authorization controls. This can lead to unauthorized destruction of content within the CMS, potentially causing data loss and disruption of content availability.
Mitigation Recommendations
Upgrade Craft CMS to version 4.17.15 or later, or 5.9.22 or later, where this authorization issue has been fixed. There is no indication of a temporary workaround or alternative mitigation. Patch status is confirmed fixed in these versions.
CVE-2026-50284: CWE-862: Missing Authorization in craftcms cms
Description
Craft CMS versions 4.0.0-RC1 through 4.17.14 and 5.0.0-RC1 through 5.9.21 contain an authorization vulnerability in the AssetsController::actionDeleteFolder() method. This method only requires the deleteAssets:<volume-uid> permission and does not enforce the deletePeerAssets:<volume-uid> permission, allowing users with folder-management rights to delete assets uploaded by other users. The issue has been fixed in versions 4.17.15 and 5.9.22.
CVSS v4.0
Score 7.1high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In affected versions of Craft CMS, the actionDeleteFolder() endpoint improperly enforces permissions by requiring only deleteAssets:<volume-uid> and not deletePeerAssets:<volume-uid>. Because the deletion cascades to all descendant folders and assets regardless of uploader privileges, a low-privilege user with folder-management rights can delete peer assets without proper authorization. This bypasses the per-asset peer-permission checks that are correctly applied in the sibling actionDeleteAsset endpoint. The vulnerability is identified as CWE-862 (Missing Authorization) and has a CVSS 4.0 score of 7.1, indicating high severity. The issue is fixed in Craft CMS versions 4.17.15 and 5.9.22.
Potential Impact
An attacker with low privileges who has folder-management rights on a shared volume can delete assets uploaded by other users, bypassing intended authorization controls. This can lead to unauthorized destruction of content within the CMS, potentially causing data loss and disruption of content availability.
Mitigation Recommendations
Upgrade Craft CMS to version 4.17.15 or later, or 5.9.22 or later, where this authorization issue has been fixed. There is no indication of a temporary workaround or alternative mitigation. Patch status is confirmed fixed in these versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-04T16:26:05.985Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a459a0d27e9c7971943c20d
Added to database: 07/01/2026, 22:51:57 UTC
Last enriched: 07/01/2026, 23:06:18 UTC
Last updated: 07/01/2026, 23:33:59 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.