Craft CMS has a Path Traversal Vulnerability in AssetsController
Description
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController->replaceFile() method has a targetFilename body parameter that is used unsanitized in a deleteFile() call before Assets::prepareAssetName() is applied on save. This allows an authenticated user with replaceFiles permission to delete arbitrary files within the same filesystem root by injecting ../ path traversal sequences into the filename. This could allow an authenticated user with replaceFiles permission on one volume to delete files in other folders/volumes that share the same filesystem root. This only affects local filesystems. This issue has been patched in versions 4.17.5 and 5.9.11.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Craft CMS path traversal in AssetsController->replaceFile() lets authenticated users delete arbitrary files on the same filesystem root.
Vulnerability
Overview
CVE-2026-32262 is a path traversal vulnerability in Craft CMS, affecting versions 4.0.0-RC1 through 4.17.4 and 5.0.0-RC1 through 5.9.10. The flaw resides in the AssetsController->replaceFile() method, where the targetFilename body parameter is used unsanitized in a deleteFile() call before Assets::prepareAssetName() is applied on save. This allows an authenticated user with the replaceFiles permission to inject ../ path traversal sequences into the filename, enabling deletion of arbitrary files within the same filesystem root [1][4].
Exploitation
To exploit this vulnerability, an attacker must be authenticated and possess the replaceFiles permission on at least one volume. By crafting a malicious targetFilename containing path traversal sequences (e.g., ../../somefile.txt), the attacker can deleteFile()` call can target files outside the intended volume's directory. The attack is limited to local filesystems and cannot cross filesystem boundaries [1][4].
Impact
Successful exploitation allows an attacker to delete arbitrary files within the same filesystem root, potentially affecting other volumes or folders that share that root. This could lead to data loss or disruption of service, depending on the files deleted [1][4].
Mitigation
The vulnerability has been patched in Craft CMS versions 4.17.5 and 5.9.11. The fix, visible in commit c997efb, adds validation to reject filenames containing / or \ characters, preventing path traversal [3]. Users are strongly advised to update to the latest patched versions [4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 4.0.0-RC1, < 4.17.5 | 4.17.5 |
craftcms/cmsPackagist | >= 5.0.0-RC1, < 5.9.11 | 5.9.11 |
Affected products
2Patches
1c997efbe4c66Fixed GHSA-472v-j2g4-g9h2
2 files changed · +9 −0
CHANGELOG.md+1 −0 modified@@ -4,6 +4,7 @@ - Fixed a bug where the control panel requests could trigger an infinite browser redirect loop. ([#18420](https://github.com/craftcms/cms/issues/18420)) - Fixed a [moderate-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) RCE vulnerability. (GHSA-4484-8v2f-5748) +- Fixed a [low-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) path traversal vulnerability. (GHSA-472v-j2g4-g9h2) ## 4.17.4 - 2026-02-11
src/controllers/AssetsController.php+8 −0 modified@@ -386,6 +386,14 @@ public function actionReplaceFile(): Response $sourceAssetId = $this->request->getBodyParam('sourceAssetId'); $targetFilename = $this->request->getBodyParam('targetFilename'); + + if ( + $$targetFilename && + (str_contains($targetFilename, '/') || str_contains($targetFilename, '\\')) + ) { + throw new BadRequestHttpException('Invalid filename: $targetFilename'); + } + $uploadedFile = UploadedFile::getInstanceByName('replaceFile'); $assets = Craft::$app->getAssets();
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-472v-j2g4-g9h2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32262ghsaADVISORY
- github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11ghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.