Authorization Flaw in Craft CMS Allows Unauthorized File Deletion
CVE-2026-50283
5.3MEDIUM
What is CVE-2026-50283?
Craft CMS exhibits a critical authorization flaw in its AssetsController::actionReplaceFile function, allowing authenticated users to delete assets they should not have permission to access. By supplying both assetId and sourceAssetId, users can bypass permission checks and delete source assets from a volume where they lack delete rights, leading to broken content references and potential data loss. This vulnerability impacts various versions of Craft CMS and has been addressed in recent updates.
Affected Version(s)
cms >= 5.0.0-RC1, < 5.9.21 < 5.0.0-RC1, 5.9.21
cms >= 4.0.0-RC1, < 4.17.14 < 4.0.0-RC1, 4.17.14
