Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. Any authenticated CP user — even one with zero volume permissions — can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs. This vulnerability is fixed in 5.9.18.
PUBLISHED5.2CWE-862
Craft CMS: Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure
Problem type
Affected products
craftcms
cms
>= 5.0.0-RC1, < 5.9.18 - AFFECTED
References
https://github.com/craftcms/cms/security/advisories/GHSA-33m5-hqp9-97pw
https://github.com/craftcms/cms/security/advisories/GHSA-33m5-hqp9-97pw
https://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586
https://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586
GitHub Security Advisories
GHSA-33m5-hqp9-97pw
Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure
https://github.com/advisories/GHSA-33m5-hqp9-97pwSummary
AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. Any authenticated CP user — even one with zero volume permissions — can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs.
This follows the exact same incomplete-patch pattern as four GHSAs merged on 2026-02-25 (GHSA-x76w-8c62-48mg, GHSA-vgjg-248p-rfm2, GHSA-5pgf-h923-m958, GHSA-3pvf-vxrv-hh9c), all of which added requireVolumePermissionByAsset() + requirePeerVolumePermissionByAsset() to sibling AssetsController actions. The actionShowInFolder method was introduced thirteen days before the patch wave and was not included in it.
Details
The vulnerability is in src/controllers/AssetsController.php at line 1437. The method:
- Calls
requireCpRequest()— verifies the request targets the CP, enforcesaccessCppermission viaController::_enforceAllowAnonymous(), but does NOT enforce any volume-level permission. - Fetches any asset by ID with
Asset::findOne($assetId)— noeditable/savablescope filter, so all assets across all volumes are reachable. - Returns sensitive structural data via JSON.
Impact
- Any authenticated control panel user with only
accessCppermission can discover the filenames and complete folder structure (names, UIDs, handles, URIs) of assets in volumes they are not authorized to access. - Sensitive volume structures — private document repositories, confidential media, internal file names — are exposed to any user who can log into the control panel.
- This enables targeted follow-up attacks: an attacker who knows a private asset’s filename and folder path may have other avenues to exfiltrate the actual file.
Resources
https://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-44012Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-44012",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-05-12T20:19:33.550Z",
"dateReserved": "2026-05-04T21:24:36.505Z",
"datePublished": "2026-05-12T20:19:33.550Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-05-12T20:19:33.550Z"
},
"title": "Craft CMS: Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure",
"descriptions": [
{
"lang": "en",
"value": "Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. Any authenticated CP user — even one with zero volume permissions — can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs. This vulnerability is fixed in 5.9.18."
}
],
"affected": [
{
"vendor": "craftcms",
"product": "cms",
"versions": [
{
"version": ">= 5.0.0-RC1, < 5.9.18",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-862: Missing Authorization",
"cweId": "CWE-862",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-33m5-hqp9-97pw",
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-33m5-hqp9-97pw",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586",
"name": "https://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{}
]
}
}
}