Craft CMS CVE-2026-44012
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. Any authenticated CP user - even one with zero volume permissions - can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs.
This follows the exact same incomplete-patch pattern as four GHSAs merged on 2026-02-25 (GHSA-x76w-8c62-48mg, GHSA-vgjg-248p-rfm2, GHSA-5pgf-h923-m958, GHSA-3pvf-vxrv-hh9c), all of which added requireVolumePermissionByAsset() + requirePeerVolumePermissionByAsset() to sibling AssetsController actions. The actionShowInFolder method was introduced thirteen days before the patch wave and was not included in it.
Details
The vulnerability is in src/controllers/AssetsController.php at line 1437. The method:
- Calls
requireCpRequest()- verifies the request targets the CP, enforcesaccessCppermission viaController::_enforceAllowAnonymous(), but does NOT enforce any volume-level permission. - Fetches any asset by ID with
Asset::findOne($assetId)- noeditable/savablescope filter, so all assets across all volumes are reachable. - Returns sensitive structural data via JSON.
Impact
- Any authenticated control panel user with only
accessCppermission can discover the filenames and complete folder structure (names, UIDs, handles, URIs) of assets in volumes they are not authorized to access. - Sensitive volume structures - private document repositories, confidential media, internal file names - are exposed to any user who can log into the control panel.
- This enables targeted follow-up attacks: an attacker who knows a private asset’s filename and folder path may have other avenues to exfiltrate the actual file.
Resources
https://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586
AnalysisAI
Authenticated control-panel users in Craft CMS 5.x can enumerate asset filenames and complete folder hierarchies (volume handles, UIDs, folder names, URIs) across all volumes by sending arbitrary asset IDs to the AssetsController::actionShowInFolder endpoint, bypassing volume-level viewAssets and viewPeerAssets permission checks. The flaw stems from an incomplete February 2026 patch wave that fixed four sibling endpoints but missed this method, introduced 13 days before the patch release. No public exploit identified at time of analysis; vendor-released patch fixes 5.9.18 and later. This information disclosure vulnerability enables reconnaissance for follow-up attacks against restricted asset volumes.
Technical ContextAI
Craft CMS's AssetsController provides REST-style endpoints for asset management in the Control Panel. The actionShowInFolder method at src/controllers/AssetsController.php:1437 performs asset retrieval using Asset::findOne($assetId) without applying editable or savable query scopes that filter by user permissions. While the method calls requireCpRequest() to enforce accessCp permission (the base right to access the Control Panel interface), it omits the two volume-permission checks added to parallel endpoints in commit e3f3eaab during the February 25 patch wave: requireVolumePermissionByAsset('viewAssets') and requirePeerVolumePermissionByAsset('viewPeerAssets'). These methods verify that the requesting user holds explicit view permissions on the asset's parent volume. The missing check exemplifies CWE-862 (Missing Authorization) - the endpoint authenticates the user but fails to authorize access to the resource. Craft's permission model separates Control Panel access from volume-level grants; users may have accessCp but zero volume permissions, creating a privilege boundary this vulnerability crosses. The flaw is compositionally identical to GHSA-x76w-8c62-48mg, GHSA-vgjg-248p-rfm2, GHSA-5pgf-h923-m958, and GHSA-3pvf-vxrv-hh9c, all of which were patched in the same commit but targeted sibling controller methods.
RemediationAI
Upgrade to Craft CMS 5.9.18 or later, which adds the missing requireVolumePermissionByAsset and requirePeerVolumePermissionByAsset checks to AssetsController::actionShowInFolder per commit e3f3eaab3d85badd713cfc2c24e5f0792ecdb586. Composer users should run composer update craftcms/cms and deploy the updated vendor directory. Review the GitHub advisory at https://github.com/craftcms/cms/security/advisories/GHSA-33m5-hqp9-97pw for any additional vendor guidance. If immediate upgrade is not feasible, apply defense-in-depth compensating controls: restrict Control Panel access to trusted users only (review and revoke accessCp permission for any non-essential accounts), enable IP allowlisting for the /admin path if Craft configuration supports it (limits CP access to known networks, reducing insider threat surface but breaks remote administration), and audit recent CP access logs for anomalous asset enumeration patterns (rapid sequential requests to assets/show-in-folder with incrementing IDs). Note that IP restrictions may disrupt legitimate remote work; assess operational trade-offs. No workaround fully mitigates the flaw without patching.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-33m5-hqp9-97pw