GHSA-748W-HM6R-QC7V

Vulnerability from github – Published: 2026-05-15 18:01 – Updated: 2026-06-11 13:30
VLAI
Summary
Authenticated Sharp users can download unrelated Laravel Storage objects through the generic download endpoint
Details

Sharp exposes a generic download endpoint that authorizes access only to the supplied Sharp entity instance, but then reads the target storage disk and path from request parameters.

Because the requested storage object is not bound to the authorized entity instance, an authenticated Sharp user who can view one valid record may use that record as an authorization anchor to download unrelated disk-relative objects from configured Laravel Storage disks.

The confirmed impact is authenticated disclosure of unrelated objects from configured Laravel Storage disks. This issue does not imply arbitrary host filesystem access outside configured Laravel Storage disk roots.

Impact

An authenticated Sharp user with view access to at least one valid Sharp entity instance may be able to download unrelated files from configured Laravel Storage disks by supplying a different disk and path to the generic download endpoint.

Depending on the application, exposed files may include exports, backups, invoices, internal documents, uploads belonging to other records, tenant-specific data, or operational files stored on private application disks.

The attacker does not need authorization to the storage object being downloaded. They only need an authenticated Sharp session and view access to one valid entity instance that can be used as the authorization anchor.

Attack requirements

An attacker must have:

  • an authenticated Sharp session
  • view access to at least one valid Sharp entity instance

The attacker does not need authorization to the storage object being downloaded.

Affected endpoint

GET /sharp/{globalFilter}/download/{entityKey}/{instanceId?}

Patches

After the fix, requests to the generic download endpoint without a valid signature are rejected. Modifying the disk, path, entityKey, or instanceId parameters of a Sharp-generated download URL invalidates the signature and prevents the modified request from being used to download another storage object.

Workarounds

If upgrading is not immediately possible, applications should restrict downloads.allowed_disks to the smallest possible set of disks required by Sharp downloads.

Applications should also avoid storing sensitive unrelated files on disks reachable by Sharp’s generic download endpoint, and should add application-level controls to ensure that requested files are bound to the authorized record.

Disk allowlisting reduces the reachable storage surface, but it does not fully fix the missing per-record file binding. Upgrading to a patched version is recommended.

Resources

  • Laravel signed URLs documentation: https://laravel.com/docs/urls#signed-urls
  • CWE-639: https://cwe.mitre.org/data/definitions/639.html
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "code16/sharp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.22.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44692"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-15T18:01:03Z",
    "nvd_published_at": "2026-06-10T22:16:57Z",
    "severity": "HIGH"
  },
  "details": "Sharp exposes a generic download endpoint that authorizes access only to the supplied Sharp entity instance, but then reads the target storage `disk` and `path` from request parameters.\n\nBecause the requested storage object is not bound to the authorized entity instance, an authenticated Sharp user who can view one valid record may use that record as an authorization anchor to download unrelated disk-relative objects from configured Laravel Storage disks.\n\nThe confirmed impact is authenticated disclosure of unrelated objects from configured Laravel Storage disks. This issue does not imply arbitrary host filesystem access outside configured Laravel Storage disk roots.\n\n### Impact\n\nAn authenticated Sharp user with view access to at least one valid Sharp entity instance may be able to download unrelated files from configured Laravel Storage disks by supplying a different `disk` and `path` to the generic download endpoint.\n\nDepending on the application, exposed files may include exports, backups, invoices, internal documents, uploads belonging to other records, tenant-specific data, or operational files stored on private application disks.\n\nThe attacker does not need authorization to the storage object being downloaded. They only need an authenticated Sharp session and view access to one valid entity instance that can be used as the authorization anchor.\n\n### Attack requirements\n\nAn attacker must have:\n\n- an authenticated Sharp session\n- view access to at least one valid Sharp entity instance\n\nThe attacker does not need authorization to the storage object being downloaded.\n\n### Affected endpoint\n\n`GET /sharp/{globalFilter}/download/{entityKey}/{instanceId?}`\n\n### Patches\n\nAfter the fix, requests to the generic download endpoint without a valid signature are rejected. Modifying the `disk`, `path`, `entityKey`, or `instanceId` parameters of a Sharp-generated download URL invalidates the signature and prevents the modified request from being used to download another storage object.\n\n### Workarounds\n\nIf upgrading is not immediately possible, applications should restrict `downloads.allowed_disks` to the smallest possible set of disks required by Sharp downloads.\n\nApplications should also avoid storing sensitive unrelated files on disks reachable by Sharp\u2019s generic download endpoint, and should add application-level controls to ensure that requested files are bound to the authorized record.\n\nDisk allowlisting reduces the reachable storage surface, but it does not fully fix the missing per-record file binding. Upgrading to a patched version is recommended.\n\n### Resources\n\n- Laravel signed URLs documentation: https://laravel.com/docs/urls#signed-urls\n- CWE-639: https://cwe.mitre.org/data/definitions/639.html",
  "id": "GHSA-748w-hm6r-qc7v",
  "modified": "2026-06-11T13:30:32Z",
  "published": "2026-05-15T18:01:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/code16/sharp/security/advisories/GHSA-748w-hm6r-qc7v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44692"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/code16/sharp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/code16/sharp/releases/tag/v9.22.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authenticated Sharp users can download unrelated Laravel Storage objects through the generic download endpoint"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…