Back to overview

CVE-2026-50283

MEDIUM
5.3
CVSS 4.0
Description
Craft CMS is a content management system (CMS). Versions 5.0.0-RC1 through 5.9.20, and 4.0.0-RC1 through 4.17.13 contain an authorization issue in the AssetsController::actionReplaceFile that can delete a source asset without source delete permission by supplying both assetId and sourceAssetId. AssetsController::actionReplaceFile() supports replacing a target asset file using another existing asset as the source. The action loads: assetId -> $assetToReplace and sourceAssetId -> $sourceAsset, then enforces replace permissions using ($assetToReplace ?: $sourceAsset). When both IDs are provided, this expression resolves to the target asset so no permission check is performed against the source asset volume. When both assets are present, Craft copies the source file into the target and then deletes the source asset. There is no deletion check for for the source asset. An authenticated user who can replace files in one volume can delete assets in another volume where they do not have delete permission, as long as they can obtain a sourceAssetId, leading to broken content references and data loss. This issue has been fixed in versions 4.17.14 and 5.9.21.

Metadata

CVE ID
CVE-2026-50283
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-04 16:26 UTC
Published
2026-07-01 22:20 UTC
Last updated
2026-07-01 22:20 UTC
Primary CWE
CWE-862
CWE-862: Missing Authorization
Vendor / Product
craftcms / cms
Sources
cve.org  ·  NVD

Severity & Metrics

5.3 MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
craftcms cms >= 5.0.0-RC1, < 5.9.21, >= 4.0.0-RC1, < 4.17.14
Weakness (CWE)
CWESourceDescription
CWE-639 cna CWE-639: Authorization Bypass Through User-Controlled Key
CWE-862 cna CWE-862: Missing Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.3 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
References (2)
Back to overview