Authorization Issue in Craft CMS Affects Multiple Versions
CVE-2026-50282

4.9MEDIUM

Key Information:

Vendor

Craftcms

Status
Vendor
CVE Published:
2 July 2026

What is CVE-2026-50282?

Craft CMS, a popular content management system, has a vulnerability that allows an unauthorized deletion of folders during a forced move operation. Specifically, when a folder move is requested with a conflicting name at the destination, the system can overwrite an existing folder without the necessary permissions. This flaw affects Craft CMS versions 5.0.0-RC1 and above prior to 5.9.21, as well as versions 4.0.0-RC1 and above prior to 4.17.14. The issue has been addressed in the latest releases, which enhance security by requiring appropriate permissions before allowing folder overwrites.

Affected Version(s)

cms >= 5.0.0-RC1, < 5.9.21 < 5.0.0-RC1, 5.9.21

cms >= 4.0.0-RC1, <= 4.17.14 <= 4.0.0-RC1, 4.17.14

References

CVSS V4

Score:
4.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.