CVE-2026-50284
Gravedad CVSS v4.0:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
01/07/2026
Última modificación:
02/07/2026
Descripción
*** Pendiente de traducción *** Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, theAssetsController::actionDeleteFolder() only requires the deleteAssets: permission for the target folder. It never enforces deletePeerAssets:, even though Assets::deleteFoldersByIds() cascades deletion to every descendant folder and every asset inside, regardless of the uploader's assigned privileges. A low-privilege user who has been granted folder-management rights on a shared volume can therefore destroy assets uploaded by other users (peer assets), bypassing the per-asset peer-permission check that the sibling actionDeleteAsset endpoint correctly applies. This issue has been fixed in versions 4.17.15 and 5.9.22.
Impacto
Puntuación base 4.0
7.10
Gravedad 4.0
ALTA



