Missing Authorization in Craft CMS - CVE-2026-44012
Published: June 16, 2026
Vulnerability identifier: #VU134672
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-44012
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Pixel & Tonic, Inc.
Affected software:
Craft CMS
Craft CMS
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in AssetsController::actionShowInFolder() when handling control panel requests for asset IDs. A remote user can supply an arbitrary asset ID to disclose sensitive information.
The issue exposes asset filenames and complete folder hierarchy details, including volume handles, volume UIDs, folder names, folder UIDs, and folder URI paths.
How to mitigate CVE-2026-44012
Install security update from vendor's website.