A vulnerability was found in Craft CMS up to 4.17.14/5.9.20. It has been declared as critical. The impacted element is the function AssetsController::actionMoveFolder. Executing a manipulation can lead to missing authorization.

This vulnerability is handled as CVE-2026-50282. The attack can be executed remotely. There is not any exploit available.

It is recommended to upgrade the affected component.