GHSA-33M5-HQP9-97PW

Vulnerability from github – Published: 2026-05-06 17:54 – Updated: 2026-05-13 16:29
VLAI
Summary
Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure
Details

Summary

AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. Any authenticated CP user — even one with zero volume permissions — can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs.

This follows the exact same incomplete-patch pattern as four GHSAs merged on 2026-02-25 (GHSA-x76w-8c62-48mg, GHSA-vgjg-248p-rfm2, GHSA-5pgf-h923-m958, GHSA-3pvf-vxrv-hh9c), all of which added requireVolumePermissionByAsset() + requirePeerVolumePermissionByAsset() to sibling AssetsController actions. The actionShowInFolder method was introduced thirteen days before the patch wave and was not included in it.

Details

The vulnerability is in src/controllers/AssetsController.php at line 1437. The method:

  1. Calls requireCpRequest() — verifies the request targets the CP, enforces accessCp permission via Controller::_enforceAllowAnonymous(), but does NOT enforce any volume-level permission.
  2. Fetches any asset by ID with Asset::findOne($assetId) — no editable/savable scope filter, so all assets across all volumes are reachable.
  3. Returns sensitive structural data via JSON.

Impact

  • Any authenticated control panel user with only accessCp permission can discover the filenames and complete folder structure (names, UIDs, handles, URIs) of assets in volumes they are not authorized to access.
  • Sensitive volume structures — private document repositories, confidential media, internal file names — are exposed to any user who can log into the control panel.
  • This enables targeted follow-up attacks: an attacker who knows a private asset’s filename and folder path may have other avenues to exfiltrate the actual file.

Resources

https://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586

Severity
7.1 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-RC1"
            },
            {
              "fixed": "5.9.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44012"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T17:54:47Z",
    "nvd_published_at": "2026-05-12T21:16:16Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`AssetsController::actionShowInFolder()` fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has `viewAssets` or `viewPeerAssets` permission on the asset\u2019s volume. Any authenticated CP user \u2014 even one with zero volume permissions \u2014 can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs.\n\nThis follows the exact same incomplete-patch pattern as four GHSAs merged on 2026-02-25 (GHSA-x76w-8c62-48mg, GHSA-vgjg-248p-rfm2, GHSA-5pgf-h923-m958, GHSA-3pvf-vxrv-hh9c), all of which added `requireVolumePermissionByAsset()` + `requirePeerVolumePermissionByAsset()` to sibling AssetsController actions. The `actionShowInFolder` method was introduced thirteen days before the patch wave and was not included in it.\n\n## Details\n\nThe vulnerability is in `src/controllers/AssetsController.php` at line 1437. The method:\n\n1. Calls `requireCpRequest()` \u2014 verifies the request targets the CP, enforces `accessCp` permission via `Controller::_enforceAllowAnonymous()`, but does NOT enforce any volume-level permission.\n2. Fetches any asset by ID with `Asset::findOne($assetId)` \u2014 no `editable`/`savable` scope filter, so all assets across all volumes are reachable.\n3. Returns sensitive structural data via JSON.\n\n## Impact\n\n- Any authenticated control panel user with only `accessCp` permission can discover the filenames and complete folder structure (names, UIDs, handles, URIs) of assets in volumes they are not authorized to access.\n- Sensitive volume structures \u2014 private document repositories, confidential media, internal file names \u2014 are exposed to any user who can log into the control panel.\n- This enables targeted follow-up attacks: an attacker who knows a private asset\u2019s filename and folder path may have other avenues to exfiltrate the actual file.\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586",
  "id": "GHSA-33m5-hqp9-97pw",
  "modified": "2026-05-13T16:29:54Z",
  "published": "2026-05-06T17:54:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-33m5-hqp9-97pw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44012"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS\u0027s Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.