Craft CMS: Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information...

7.1 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. Any authenticated CP user — even one with zero volume permissions — can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs. This vulnerability is fixed in 5.9.18.

Basic Information

ID CVE-2026-44012

Source GitHub_M

Published May 12, 2026 at 20:19

Affected Product

Vendor craftcms

Product cms

Version >= 5.0.0-RC1, < 5.9.18

Affected Versions craftcms cms >= 5.0.0-RC1, < 5.9.18

CWE Classification

CWE-862

References

{
    "lastseen": "",
    "description": "Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset\u2019s volume. Any authenticated CP user \u2014 even one with zero volume permissions \u2014 can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs. This vulnerability is fixed in 5.9.18.",
    "published": "2026-05-12T20:19:33.550Z",
    "modified": "2026-05-12T20:19:33.550Z",
    "type": "cve",
    "title": "Craft CMS: Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure",
    "source": "GitHub_M",
    "references": "https://github.com/craftcms/cms/security/advisories/GHSA-33m5-hqp9-97pw\nhttps://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586",
    "id": "CVE-2026-44012",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "craftcms cms >= 5.0.0-RC1, < 5.9.18",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "cms",
    "version": ">= 5.0.0-RC1, < 5.9.18",
    "vendor": "craftcms",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Craft CMS: Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure_CVE-2026-44012