CVE-2026-44012
published 2026-05-12CVE-2026-44012: Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its…
PriorityP337high7.1CVSS 4.0
AVNACLATNPRLUINVCHVINVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.32%
24.1th percentile
Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. Any authenticated CP user — even one with zero volume permissions — can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs. This vulnerability is fixed in 5.9.18.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | — | — |
| craftcms | cms | >= 5.0.0-RC1 < 5.9.18 | 5.9.18 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Craft CMS up to 5.9.17 actionShowInFolder authorization
vuldb·2026-05-12
CVE-2026-44012 [LOW] Craft CMS up to 5.9.17 actionShowInFolder authorization
A vulnerability was found in Craft CMS up to 5.9.17. It has been rated as problematic. This vulnerability affects the function AssetsController::actionShowInFolder. The manipulation leads to missing authorization.
This vulnerability is uniquely identified as CVE-2026-44012. The attack is possible to be carried out remotely. No exploit exists.
Upgrading the affected component is advised.
GHSA
Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure
ghsa·2026-05-06
CVE-2026-44012 [HIGH] CWE-862 Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure
Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure
## Summary
`AssetsController::actionShowInFolder()` fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has `viewAssets` or `viewPeerAssets` permission on the asset’s volume. Any authenticated CP user — even one with zero volume permissions — can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs.
This follows the exact same incomplete-patch pattern as four GHSAs merged on 2026-02-25 (GHSA-x76w-8c62-48mg, GHSA-vgjg-248p-rfm2, GHSA-5pgf-h923-m958, GHSA-3pvf-vxrv-hh9c),
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-12
Published