CVE-2026-44012
Description
Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. Any authenticated CP user — even one with zero volume permissions — can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs. This vulnerability is fixed in 5.9.18.
Affected products
1Patches
1e3f3eaab3d85Fixed GHSA-33m5-hqp9-97pw
2 files changed · +4 −0
CHANGELOG.md+1 −0 modified@@ -3,6 +3,7 @@ ## Unreleased - Fixed a bug where sites with missing `enabled` values were being treated as enabled. ([#18572](https://github.com/craftcms/cms/issues/18572)) +- Fixed a [moderate-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) information disclosure vulnerability. (GHSA-33m5-hqp9-97pw) ## 5.9.17 - 2026-03-17
src/controllers/AssetsController.php+3 −0 modified@@ -1445,6 +1445,9 @@ public function actionShowInFolder(): Response throw new BadRequestHttpException("Invalid asset ID: $assetId"); } + $this->requireVolumePermissionByAsset('viewAssets', $asset); + $this->requirePeerVolumePermissionByAsset('viewPeerAssets', $asset); + // get the folder for selected asset $folder = $asset->getFolder(); $sourcePath[] = $folder->getSourcePathInfo();
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.