Summary
Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure
AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. Any authenticated CP user, even one with zero volume permissions, can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs.
This follows the exact same incomplete-patch pattern as four GHSAs merged on 2026-02-25 (GHSA-x76w-8c62-48mg, GHSA-vgjg-248p-rfm2, GHSA-5pgf-h923-m958, GHSA-3pvf-vxrv-hh9c), all of which added requireVolumePermissionByAsset() + requirePeerVolumePermissionByAsset() to sibling AssetsController actions. The actionShowInFolder method was introduced thirteen days before the patch wave and was not included in it.
Details
The vulnerability is in src/controllers/AssetsController.php at line 1437. The method:
- Calls
requireCpRequest(), verifies the request targets the CP, enforcesaccessCppermission viaController::_enforceAllowAnonymous(), but does NOT enforce any volume-level permission. - Fetches any asset by ID with
Asset::findOne($assetId), noeditable/savablescope filter, so all assets across all volumes are reachable. - Returns sensitive structural data via JSON.
Resources
https://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586
Impact
- Any authenticated control panel user with only
accessCppermission can discover the filenames and complete folder structure (names, UIDs, handles, URIs) of assets in volumes they are not authorized to access. - Sensitive volume structures, private document repositories, confidential media, internal file names, are exposed to any user who can log into the control panel.
- This enables targeted follow-up attacks: an attacker who knows a private asset’s filename and folder path may have other avenues to exfiltrate the actual file.
The application does not perform an authorization check before performing a sensitive operation. Typical impact: unauthorized access to restricted functionality or data.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-44012? CVE-2026-44012 is a high-severity missing authorization vulnerability in craftcms/cms (composer), affecting versions >= 5.0.0-RC1, < 5.9.18. It is fixed in 5.9.18. The application does not perform an authorization check before performing a sensitive operation.
- Which versions of craftcms/cms are affected by CVE-2026-44012? craftcms/cms (composer) versions >= 5.0.0-RC1, < 5.9.18 is affected.
- Is there a fix for CVE-2026-44012? Yes. CVE-2026-44012 is fixed in 5.9.18. Upgrade to this version or later.
- Is CVE-2026-44012 exploitable, and should I be worried? Whether CVE-2026-44012 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-44012 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-44012? Upgrade
craftcms/cmsto 5.9.18 or later.