Auth bypass in Craftcms Cms
CVE-2026-50284
Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, theAssetsController::actionDeleteFolder() only requires the deleteAssets:<volume-uid> permission for the target folder. It…
Vulnerability class: Broken Access Control
Affected products
- Craftcms Cms — versions =>= 5.0.0-RC1, < 5.9.22, >= 4.0.0-RC1, < 4.17.15
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)
- security-advisories@github.com (x_refsource_MISC)