Description
Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. Any authenticated CP user — even one with zero volume permissions — can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs. This vulnerability is fixed in 5.9.18.
Published: 2026-05-12
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Craft CMS versions from 5.0.0‑RC1 through before 5.9.18 allow any authenticated control panel user, even one with no volume permissions, to request asset IDs and receive the asset’s filename and the full folder hierarchy of its volume. The vulnerability arises because AssetsController::actionShowInFolder() lacks a viewAssets or viewPeerAssets permission check. The disclosed information includes volume handle, volume UID, folder names, folder UIDs, and folder URI paths, which can aid in covert mapping of the CMS asset structure.

Affected Systems

Vendor: CraftCMS; Product: Craft CMS. Affected versions are 5.0.0‑RC1 up to, but not including, 5.9.18.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate severity. The vulnerability is limited to authenticated CP users, so an attacker must have valid login credentials to interact with the system. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Additive enumeration of asset identifiers and folder paths can facilitate targeted attacks or reconnaissance, but requires an authenticated session. No further exploitation conditions are reported beyond user permission checks.

Generated by OpenCVE AI on May 12, 2026 at 22:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to version 5.9.18 or later, which removes the missing permission check.
  • If an upgrade is delayed, remove or minimize viewAssets and viewPeerAssets permissions for all CP users to prevent enumeration of untrusted volumes.
  • Continuously monitor CP access logs for anomalous asset enumeration activity and audit user privilege assignments.

Generated by OpenCVE AI on May 12, 2026 at 22:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-33m5-hqp9-97pw Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure
History

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Tue, 12 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. Any authenticated CP user — even one with zero volume permissions — can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs. This vulnerability is fixed in 5.9.18.
Title Craft CMS: Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T14:49:47.308Z

Reserved: 2026-05-04T21:24:36.505Z

Link: CVE-2026-44012

cve-icon Vulnrichment

Updated: 2026-05-13T14:49:43.817Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T21:16:16.003

Modified: 2026-05-13T14:54:50.290

Link: CVE-2026-44012

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T09:45:09Z

Weaknesses