Missing Authorization
CVE-2026-44012
Summary
`AssetsController::actionShowInFolder()` fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has `viewAssets` or `viewPeerAssets` permission on the asset's volume. Any authenticated CP user -- even one with zero volume permissions -- can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs. The affected versions are 5.0.0-RC1 prior to 5.9.18.
CWE-862 - Missing Authorization
The missing authorization vulnerability occurs when a software program allows users to access privileged parts of the program without verifying the user credentials. Impact of such a vulnerability depends on the resources employed by the software, ranging from account takeover to sensitive information exposure, denial of service, and complete system takeover.
References
Advisory Timeline
- Published
