Threat Advisory

Craft CMS Vulnerabilities Result in Improper Directory Removal

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

Six vulnerabilities have been identified in Craft CMS. These flaws include missing authorization checks, mass assignment issues, and improper permission validation that allow unauthorized deletion of assets and modification of content. A low-privileged attacker could exploit these issues to delete folders belonging to other users, overwrite existing entries, or spoof authorship on content. The business impact includes significant data loss, corruption of content integrity, and disruption of editorial workflows due to unauthorized access controls being bypassed.[/subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

Six vulnerabilities have been identified in Craft CMS. These flaws include missing authorization checks, mass assignment issues, and improper permission validation that allow unauthorized deletion of assets and modification of content. A low-privileged attacker could exploit these issues to delete folders belonging to other users, overwrite existing entries, or spoof authorship on content. The business impact includes significant data loss, corruption of content integrity, and disruption of editorial workflows due to unauthorized access controls being bypassed.[emaillocker id="1283"]

CVE-2026-50282 with a CVSS score of 7.1 – It is an authorization issue in Craft CMS’s AssetsController::actionMoveFolder() where a forced folder move can delete an existing destination folder during name conflict resolution without requiring delete permission on the destination volume, enabling unauthorized deletion of assets and potential data loss.

CVE-2026-50281 with a CVSS score of 7.1 – It is an mass-assignment vulnerability in Craft CMS’s bulk duplicate element action where an attacker can inject an arbitrary id via newAttributes, causing the duplicate routine to overwrite existing database records instead of creating new ones, leading to unauthorized modification of entries and corruption of content integrity across affected element types.

CVE-2026-50284 with a CVSS score of 7.1 – It is an missing authorization check in Craft CMS’s AssetsController::actionDeleteFolder() where only deleteAssets permission is enforced while deletePeerAssets is ignored, allowing a low-privileged user with folder delete rights to recursively delete peer-owned folders and assets, resulting in unauthorized data loss and broken content integrity.

CVE-2026-50283 with a CVSS score of 5.3 – It is an missing peer-permission enforcement issue in Craft CMS’s AssetsController::actionDeleteFolder() where only deleteAssets is checked while deletePeerAssets is ignored, allowing a low-privileged user to recursively delete folders and peer-owned assets across a volume, resulting in unauthorized data loss and broken asset integrity.

CVE-2026-50280 with a CVSS score of 6.0 – It is an authorization bypass in Craft CMS’s EntriesController::actionMoveToSection() where only viewEntries permission is validated for the destination section instead of saveEntries, allowing a low-privileged authenticated user to move entries into restricted sections without write permission, violating section-level access controls and content governance rules.

CVE-2026-50279 with a CVSS score of 7.6 - It is an authorization logic flaw in Craft CMS’s EntriesController::actionSaveEntry() where author changes are accepted based on pre-mutation permission checks, allowing a low-privileged user to reassign entry authorship to arbitrary users without the dedicated peer author-change permission, leading to falsified ownership, broken audit trails, and workflow integrity issues.

 

RECOMMENDATION:

 

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-3w32-23wj-rxg3
https://github.com/advisories/GHSA-x5m4-g2cq-52pq
https://github.com/advisories/GHSA-7h62-6v23-v8fm
https://github.com/advisories/GHSA-qh45-9g5p-m2v4
https://github.com/advisories/GHSA-43cq-c2gq-pfpw
https://github.com/advisories/GHSA-qq2c-2q8j-jh27

[/emaillocker]
crossmenu