CVE-2026-44012 Overview
Craft CMS contains a missing authorization vulnerability in the AssetsController::actionShowInFolder() method. The flaw affects versions from 5.0.0-RC1 to before 5.9.18. The controller fetches an asset by ID and returns its filename and complete folder hierarchy without verifying whether the requesting user holds viewAssets or viewPeerAssets permission on the asset's volume. Any authenticated Control Panel user — including accounts with zero volume permissions — can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs. The issue is tracked under [CWE-862] (Missing Authorization) and is fixed in version 5.9.18.
Critical Impact
Any authenticated Control Panel user can enumerate asset filenames, volume handles, volume UIDs, folder names, folder UIDs, and folder URI paths across every volume in the Craft CMS installation.
Affected Products
- Craft CMS versions 5.0.0-RC1 through 5.9.17
- Craft CMS Control Panel (AssetsController component)
- Installations exposing authenticated CP accounts to low-trust users
Discovery Timeline
- 2026-05-12 - CVE-2026-44012 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44012
Vulnerability Analysis
The vulnerability resides in the actionShowInFolder() endpoint of src/controllers/AssetsController.php. The handler accepts an asset ID from an authenticated Control Panel session, loads the corresponding asset object, and returns the asset's filename together with the full source path tree of its containing folder. The response payload includes the volume handle, the volume UID, every parent folder's name and UID, and folder URI paths.
The controller performs no authorization check before serializing this metadata. Craft CMS normally gates asset visibility through the viewAssets and viewPeerAssets volume permissions, but this code path bypasses those checks entirely. Any user who can authenticate to the Control Panel can iterate through numeric asset IDs and map the structure of volumes they have no permission to access.
Root Cause
The root cause is missing authorization [CWE-862]. The controller treats authentication as sufficient and omits the volume-permission gate that other asset endpoints enforce. Sensitive structural metadata is returned without consulting the permission subsystem.
Attack Vector
An attacker requires a valid Control Panel session with any privilege level. The attacker issues requests to the actionShowInFolder() endpoint with sequential or guessed asset IDs. Each successful response leaks filenames and the complete folder hierarchy for the asset's volume, enabling reconnaissance of restricted file repositories, customer uploads, or staging content.
throw new BadRequestHttpException("Invalid asset ID: $assetId");
}
+ $this->requireVolumePermissionByAsset('viewAssets', $asset);
+ $this->requirePeerVolumePermissionByAsset('viewPeerAssets', $asset);
+
// get the folder for selected asset
$folder = $asset->getFolder();
$sourcePath[] = $folder->getSourcePathInfo();
Source: Craft CMS commit e3f3eaab3d85badd713cfc2c24e5f0792ecdb586. The patch adds two permission checks — requireVolumePermissionByAsset and requirePeerVolumePermissionByAsset — before any folder metadata is read or returned.
Detection Methods for CVE-2026-44012
Indicators of Compromise
- High-volume sequential requests from a single authenticated CP user to the asset show-in-folder action.
- Requests to AssetsController::actionShowInFolder originating from accounts that have never browsed assets through the standard UI.
- Unusual spikes in CP API traffic referencing arbitrary or non-existent asset IDs.
Detection Strategies
- Enable verbose web server access logging for the Craft CMS Control Panel and retain request paths and authenticated user IDs.
- Hunt for one authenticated session generating large numbers of assets/show-in-folder requests within a short time window.
- Correlate CP user privilege levels against the volumes referenced in successful responses to identify cross-volume enumeration.
Monitoring Recommendations
- Forward Craft CMS application and web server logs to a centralized analytics platform for query and alerting.
- Alert on authenticated users issuing requests at rates inconsistent with normal CP usage.
- Review audit trails for low-privilege accounts accessing asset metadata endpoints.
How to Mitigate CVE-2026-44012
Immediate Actions Required
- Upgrade Craft CMS to version 5.9.18 or later, which contains the permission checks introduced in commit e3f3eaab.
- Audit existing Control Panel user accounts and disable or restrict any that no longer require access.
- Rotate session cookies and security keys after patching to invalidate any unauthorized reconnaissance sessions.
Patch Information
The vulnerability is fixed in Craft CMS 5.9.18. The fix is published in GitHub Security Advisory GHSA-33m5-hqp9-97pw and committed in Craft CMS commit e3f3eaab. Administrators should upgrade through the standard Composer update path and run pending migrations.
Workarounds
- Restrict Control Panel access to trusted networks using web server or firewall rules until the upgrade is applied.
- Reduce the number of authenticated CP users and revoke accounts that do not require ongoing access.
- Place a web application firewall rule in front of the assets/show-in-folder action to block requests from low-privilege accounts.
# Upgrade Craft CMS via Composer
composer require craftcms/cms:^5.9.18 --update-with-dependencies
php craft up
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
