Authorization Flaw in Craft CMS Allows Unauthorized File Deletion
CVE-2026-50283

5.3MEDIUM

Key Information:

Vendor

Craftcms

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-50283?

Craft CMS exhibits a critical authorization flaw in its AssetsController::actionReplaceFile function, allowing authenticated users to delete assets they should not have permission to access. By supplying both assetId and sourceAssetId, users can bypass permission checks and delete source assets from a volume where they lack delete rights, leading to broken content references and potential data loss. This vulnerability impacts various versions of Craft CMS and has been addressed in recent updates.

Affected Version(s)

cms >= 5.0.0-RC1, < 5.9.21 < 5.0.0-RC1, 5.9.21

cms >= 4.0.0-RC1, < 4.17.14 < 4.0.0-RC1, 4.17.14

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.