Vulnerability Description
Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. Any authenticated CP user — even one with zero volume permissions — can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs. This vulnerability is fixed in 5.9.18.
Related Weaknesses (CWE)
References
- https://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586
- https://github.com/craftcms/cms/security/advisories/GHSA-33m5-hqp9-97pw
FAQ
What is CVE-2026-44012?
CVE-2026-44012 is a documented vulnerability. Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (i...
How severe is CVE-2026-44012?
CVSS scoring is not yet available for CVE-2026-44012. Check NVD for updates.
Is there a patch for CVE-2026-44012?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.