Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure — CVE-2026-44012
GitHub · GitHub · CVE-2026-44012
ID
CVE-2026-44012
CVE-2026-44012
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
7.1
7.1
EPSS
0.00031
0.00031
Summary
## Summary `AssetsController::actionShowInFolder()` fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has `viewAssets` or `viewPeerAssets` permission on the asset’s volume. Any authenticated CP user — even one with zero volume permissions — can enumerate…
Product
composer: craftcms/cms
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.