Authorization Issue in Craft CMS Affects Multiple Versions
CVE-2026-50282
4.9MEDIUM
What is CVE-2026-50282?
Craft CMS, a popular content management system, has a vulnerability that allows an unauthorized deletion of folders during a forced move operation. Specifically, when a folder move is requested with a conflicting name at the destination, the system can overwrite an existing folder without the necessary permissions. This flaw affects Craft CMS versions 5.0.0-RC1 and above prior to 5.9.21, as well as versions 4.0.0-RC1 and above prior to 4.17.14. The issue has been addressed in the latest releases, which enhance security by requiring appropriate permissions before allowing folder overwrites.
Affected Version(s)
cms >= 5.0.0-RC1, < 5.9.21 < 5.0.0-RC1, 5.9.21
cms >= 4.0.0-RC1, <= 4.17.14 <= 4.0.0-RC1, 4.17.14
