CVE-2026-50284
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
In Craft CMS versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, the folder deletion function does not enforce peer asset deletion permissions. A low-privilege user can delete folders and all contained assets, including those uploaded by other users.
Risk Assessment
The organization is at risk of unauthorized asset deletion by low-privilege users, potentially leading to data loss and system integrity compromise.
Recommendation
Immediately update Craft CMS to version 4.17.15 or 5.9.22, which contain the fix for this vulnerability.
Original NVD description (English source)
Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, theAssetsController::actionDeleteFolder() only requires the deleteAssets:<volume-uid> permission for the target folder. It never enforces deletePeerAssets:<volume-uid>, even though Assets::deleteFoldersByIds() cascades deletion to every descendant folder and every asset inside, regardless of the uploader's assigned privileges. A low-privilege user who has been granted folder-management rights on a shared volume can therefore destroy assets uploaded by other users (peer assets), bypassing the per-asset peer-permission check that the sibling actionDeleteAsset endpoint correctly applies. This issue has been fixed in versions 4.17.15 and 5.9.22.

