Auth bypass in Craftcms Cms

CVE-2026-50284

Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, theAssetsController::actionDeleteFolder() only requires the deleteAssets:<volume-uid> permission for the target folder. It…

Vulnerability class: Broken Access Control

Affected products

  • Craftcms Cms — versions =>= 5.0.0-RC1, < 5.9.22, >= 4.0.0-RC1, < 4.17.15

Weakness classification (CWE)

References