CVE-2026-44012

HIGH

Craft CMS < 5.9.18 AssetsController - Missing Volume Permission Check

Title source: manual

Description

Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. Any authenticated CP user — even one with zero volume permissions — can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs. This vulnerability is fixed in 5.9.18.

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/craftcms/cms/security/advisories/GHSA-33m5-hqp9-97pw

X_Refsource_Misc x_refsource_misc

https://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586

View Writeup ZIP pw:eip

Scores

CVSS v4 7.1

EPSS 0.0032

EPSS Percentile 24.0%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (2)

craftcms/cms 5.0.0-RC1 - 5.9.18Packagist

craftcms/cms >= 5.0.0-RC1, < 5.9.18

Published May 12, 2026

Tracked Since May 13, 2026