PT-2026-41389 · Packagist+2 · Code16/Sharp+1
Published
2026-05-15
·
Updated
2026-06-10
·
CVE-2026-44692
CVSS v3.1
7.7
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Sharp versions prior to 9.22.0
Description
Sharp exposes a generic download endpoint 'GET /sharp/{globalFilter}/download/{entityKey}/{instanceId?}' that authorizes access based on a supplied entity instance but reads the target storage
disk and path from request parameters. Since the requested storage object is not bound to the authorized entity instance, an authenticated user with view access to a single valid record can use it as an authorization anchor to download unrelated disk-relative objects from configured Laravel Storage disks. This leads to the authenticated disclosure of unrelated objects, such as exports, backups, invoices, internal documents, or tenant-specific data, though it does not allow arbitrary host filesystem access outside the configured storage disk roots.Recommendations
Update to version 9.22.0.
As a temporary workaround, restrict
downloads.allowed disks to the minimum set of disks required for downloads.
Avoid storing sensitive unrelated files on disks reachable by the generic download endpoint.
Implement application-level controls to ensure requested files are bound to the authorized record.Exploit
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Code16/Sharp
Sharp