A vulnerability was found in Craft CMS up to 4.17.14/5.9.20. It has been declared as critical. The impacted element is the function
AssetsController::actionMoveFolder. Executing a manipulation can lead to missing authorization.
This vulnerability is handled as CVE-2026-50282. The attack can be executed remotely. There is not any exploit available.
It is recommended to upgrade the affected component.