Home

Description

Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. Any authenticated CP user — even one with zero volume permissions — can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs. This vulnerability is fixed in 5.9.18.

PUBLISHED Reserved 2026-05-04 | Published 2026-05-12 | Updated 2026-05-13 | Assigner GitHub_M




HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-862: Missing Authorization

Product status

>= 5.0.0-RC1, < 5.9.18
affected

References

github.com/...ms/cms/security/advisories/GHSA-33m5-hqp9-97pw

github.com/...ommit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586

cve.org (CVE-2026-44012)

nvd.nist.gov (CVE-2026-44012)

Download JSON