CVE-2026-32262 Overview
CVE-2026-32262 is a Path Traversal vulnerability affecting Craft CMS, a popular content management system. The vulnerability exists in the AssetsController->replaceFile() method, which fails to properly sanitize the targetFilename body parameter before using it in a deleteFile() call. This allows an authenticated attacker with replaceFiles permission to inject ../ path traversal sequences into the filename, enabling arbitrary file deletion within the same filesystem root.
Critical Impact
Authenticated users with replaceFiles permission can delete arbitrary files across volumes sharing the same filesystem root, potentially causing data loss, application instability, or denial of service conditions.
Affected Products
- Craft CMS versions 4.0.0-RC1 through 4.17.4
- Craft CMS versions 5.0.0-RC1 through 5.9.10
- Local filesystem configurations only (remote filesystems are not affected)
Discovery Timeline
- 2026-03-16 - CVE-2026-32262 published to NVD
- 2026-03-17 - Last updated in NVD database
Technical Details for CVE-2026-32262
Vulnerability Analysis
This Path Traversal vulnerability (CWE-22) stems from improper input validation in Craft CMS's asset management functionality. The AssetsController->replaceFile() method accepts a targetFilename parameter from the request body and passes it directly to a deleteFile() operation without first sanitizing the input. While the Assets::prepareAssetName() function is eventually applied on save, the critical issue is that the deletion operation occurs before this sanitization step.
The vulnerability requires authentication and specifically the replaceFiles permission, limiting the attack surface to authenticated users with asset management capabilities. However, within that context, an attacker can escape the intended directory boundaries and delete files in other folders or volumes that share the same filesystem root. This only impacts local filesystem configurations—remote or cloud-based storage solutions are not affected.
Root Cause
The root cause is a classic path traversal vulnerability pattern where user-controlled input containing directory traversal sequences (../ or ..\\) is passed to file system operations without validation. The targetFilename parameter is used in the deleteFile() function call before any path normalization or traversal character filtering occurs. This ordering error allows the attacker's malicious path to be fully processed by the file system.
Attack Vector
An authenticated attacker with replaceFiles permission can exploit this vulnerability by sending a crafted HTTP request to the asset replacement endpoint. By including path traversal sequences such as ../ in the targetFilename parameter, the attacker can reference files outside the intended asset directory. When the deleteFile() operation executes, it deletes the targeted file based on the unsanitized path, allowing cross-volume file deletion within the shared filesystem root.
The attack is network-accessible and requires low privileges (valid authentication with the replaceFiles permission). No user interaction is required once the attacker has the necessary access level.
// Security patch from Craft CMS - src/controllers/AssetsController.php
$sourceAssetId = $this->request->getBodyParam('sourceAssetId');
$targetFilename = $this->request->getBodyParam('targetFilename');
+
+ if (
+ $$targetFilename &&
+ (str_contains($targetFilename, '/') || str_contains($targetFilename, '\\'))
+ ) {
+ throw new BadRequestHttpException('Invalid filename: $targetFilename');
+ }
+
$uploadedFile = UploadedFile::getInstanceByName('replaceFile');
$assets = Craft::$app->getAssets();
Source: GitHub Commit c997efbe4c66c14092714233aeebff15cdbfcf11
The patch adds validation logic that checks if the targetFilename contains forward slashes (/) or backslashes (\\). If traversal characters are detected, the request is rejected with a BadRequestHttpException, preventing the path traversal attack before any file operations occur.
Detection Methods for CVE-2026-32262
Indicators of Compromise
- HTTP POST requests to the asset replacement endpoint containing ../ or ..\\ sequences in the targetFilename parameter
- Unexpected file deletions in asset storage directories or adjacent volumes
- Web server logs showing requests with encoded path traversal characters (%2e%2e%2f or %2e%2e%5c)
- Anomalous activity from authenticated users with replaceFiles permission targeting multiple volumes
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block path traversal patterns in request parameters
- Configure application logging to capture all asset replacement operations including the full targetFilename value
- Monitor file integrity of critical system files and configuration files within the Craft CMS filesystem root
- Deploy intrusion detection rules to alert on requests containing directory traversal sequences to Craft CMS endpoints
Monitoring Recommendations
- Enable verbose logging for the AssetsController to capture all file operations with full path information
- Set up file integrity monitoring (FIM) on critical directories within the Craft CMS installation
- Configure alerts for unusual patterns of file deletion activity, especially across multiple volumes
- Review access logs for authenticated sessions with replaceFiles permission exhibiting suspicious behavior
How to Mitigate CVE-2026-32262
Immediate Actions Required
- Upgrade Craft CMS 4.x installations to version 4.17.5 or later immediately
- Upgrade Craft CMS 5.x installations to version 5.9.11 or later immediately
- Audit replaceFiles permissions and restrict to only trusted users until patching is complete
- Review recent file deletion logs to identify any potential exploitation attempts
Patch Information
Craft CMS has released security patches addressing this vulnerability. Users should update to the patched versions immediately:
- Craft CMS 4.x: Upgrade to version 4.17.5 or later
- Craft CMS 5.x: Upgrade to version 5.9.11 or later
The fix adds input validation to reject any targetFilename values containing path separator characters (/ or \\), preventing traversal attacks before file operations are executed. For technical details, refer to the GitHub Security Advisory GHSA-472v-j2g4-g9h2 and the commit with the security fix.
Workarounds
- Temporarily revoke replaceFiles permission from all non-essential users until patching is complete
- Deploy WAF rules to block requests containing path traversal sequences targeting Craft CMS asset endpoints
- If using local filesystems, consider isolating each volume to separate filesystem roots to limit the impact of any traversal attacks
- Implement additional access controls at the web server level to restrict access to asset management functionality
# Example: Nginx configuration to block path traversal attempts
location /admin/actions/assets/ {
# Block requests with path traversal sequences
if ($request_body ~* "(\.\./|\.\.\\)") {
return 403;
}
# Continue with normal processing
proxy_pass http://backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
