Skip to main content

Craft CMS CVE-2026-44012

HIGH
Missing Authorization (CWE-862)
2026-05-06 https://github.com/craftcms/cms GHSA-33m5-hqp9-97pw
7.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
May 12, 2026 - 21:22 vuln.today
cvss_changed
CVSS changed
May 12, 2026 - 21:22 NVD
7.1 (HIGH)
Source Code Evidence Fetched
May 06, 2026 - 18:31 vuln.today
Analysis Generated
May 06, 2026 - 18:31 vuln.today

DescriptionGitHub Advisory

Summary

AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. Any authenticated CP user - even one with zero volume permissions - can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs.

This follows the exact same incomplete-patch pattern as four GHSAs merged on 2026-02-25 (GHSA-x76w-8c62-48mg, GHSA-vgjg-248p-rfm2, GHSA-5pgf-h923-m958, GHSA-3pvf-vxrv-hh9c), all of which added requireVolumePermissionByAsset() + requirePeerVolumePermissionByAsset() to sibling AssetsController actions. The actionShowInFolder method was introduced thirteen days before the patch wave and was not included in it.

Details

The vulnerability is in src/controllers/AssetsController.php at line 1437. The method:

  1. Calls requireCpRequest() - verifies the request targets the CP, enforces accessCp permission via Controller::_enforceAllowAnonymous(), but does NOT enforce any volume-level permission.
  2. Fetches any asset by ID with Asset::findOne($assetId) - no editable/savable scope filter, so all assets across all volumes are reachable.
  3. Returns sensitive structural data via JSON.

Impact

  • Any authenticated control panel user with only accessCp permission can discover the filenames and complete folder structure (names, UIDs, handles, URIs) of assets in volumes they are not authorized to access.
  • Sensitive volume structures - private document repositories, confidential media, internal file names - are exposed to any user who can log into the control panel.
  • This enables targeted follow-up attacks: an attacker who knows a private asset’s filename and folder path may have other avenues to exfiltrate the actual file.

Resources

https://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586

AnalysisAI

Authenticated control-panel users in Craft CMS 5.x can enumerate asset filenames and complete folder hierarchies (volume handles, UIDs, folder names, URIs) across all volumes by sending arbitrary asset IDs to the AssetsController::actionShowInFolder endpoint, bypassing volume-level viewAssets and viewPeerAssets permission checks. The flaw stems from an incomplete February 2026 patch wave that fixed four sibling endpoints but missed this method, introduced 13 days before the patch release. No public exploit identified at time of analysis; vendor-released patch fixes 5.9.18 and later. This information disclosure vulnerability enables reconnaissance for follow-up attacks against restricted asset volumes.

Technical ContextAI

Craft CMS's AssetsController provides REST-style endpoints for asset management in the Control Panel. The actionShowInFolder method at src/controllers/AssetsController.php:1437 performs asset retrieval using Asset::findOne($assetId) without applying editable or savable query scopes that filter by user permissions. While the method calls requireCpRequest() to enforce accessCp permission (the base right to access the Control Panel interface), it omits the two volume-permission checks added to parallel endpoints in commit e3f3eaab during the February 25 patch wave: requireVolumePermissionByAsset('viewAssets') and requirePeerVolumePermissionByAsset('viewPeerAssets'). These methods verify that the requesting user holds explicit view permissions on the asset's parent volume. The missing check exemplifies CWE-862 (Missing Authorization) - the endpoint authenticates the user but fails to authorize access to the resource. Craft's permission model separates Control Panel access from volume-level grants; users may have accessCp but zero volume permissions, creating a privilege boundary this vulnerability crosses. The flaw is compositionally identical to GHSA-x76w-8c62-48mg, GHSA-vgjg-248p-rfm2, GHSA-5pgf-h923-m958, and GHSA-3pvf-vxrv-hh9c, all of which were patched in the same commit but targeted sibling controller methods.

RemediationAI

Upgrade to Craft CMS 5.9.18 or later, which adds the missing requireVolumePermissionByAsset and requirePeerVolumePermissionByAsset checks to AssetsController::actionShowInFolder per commit e3f3eaab3d85badd713cfc2c24e5f0792ecdb586. Composer users should run composer update craftcms/cms and deploy the updated vendor directory. Review the GitHub advisory at https://github.com/craftcms/cms/security/advisories/GHSA-33m5-hqp9-97pw for any additional vendor guidance. If immediate upgrade is not feasible, apply defense-in-depth compensating controls: restrict Control Panel access to trusted users only (review and revoke accessCp permission for any non-essential accounts), enable IP allowlisting for the /admin path if Craft configuration supports it (limits CP access to known networks, reducing insider threat surface but breaks remote administration), and audit recent CP access logs for anomalous asset enumeration patterns (rapid sequential requests to assets/show-in-folder with incrementing IDs). Note that IP restrictions may disrupt legitimate remote work; assess operational trade-offs. No workaround fully mitigates the flaw without patching.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-44012 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy