PT-2026-41389 · Packagist+2 · Code16/Sharp+1

Published

2026-05-15

·

Updated

2026-06-10

·

CVE-2026-44692

CVSS v3.1

7.7

High

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Sharp versions prior to 9.22.0
Description Sharp exposes a generic download endpoint 'GET /sharp/{globalFilter}/download/{entityKey}/{instanceId?}' that authorizes access based on a supplied entity instance but reads the target storage disk and path from request parameters. Since the requested storage object is not bound to the authorized entity instance, an authenticated user with view access to a single valid record can use it as an authorization anchor to download unrelated disk-relative objects from configured Laravel Storage disks. This leads to the authenticated disclosure of unrelated objects, such as exports, backups, invoices, internal documents, or tenant-specific data, though it does not allow arbitrary host filesystem access outside the configured storage disk roots.
Recommendations Update to version 9.22.0. As a temporary workaround, restrict downloads.allowed disks to the minimum set of disks required for downloads. Avoid storing sensitive unrelated files on disks reachable by the generic download endpoint. Implement application-level controls to ensure requested files are bound to the authorized record.

Exploit

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44692
GHSA-748W-HM6R-QC7V

Affected Products

Code16/Sharp
Sharp