CVE-2026-44012

UNKNOWN 0.0

Craft CMS: Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. Any authenticated CP user — even one with zero volume permissions — can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs. This vulnerability is fixed in 5.9.18.

CWE	CWE-862
Vendor	craftcms
Product	cms
Published	May 12, 2026
Last Updated	May 13, 2026

Stay Ahead of the Next One

Get instant alerts for craftcms cms

Be the first to know when new unknown vulnerabilities affecting craftcms cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

craftcms / cms

>= 5.0.0-RC1, < 5.9.18

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/craftcms/cms/security/advisories/GHSA-33m5-hqp9-97pw github.com: https://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586