CVE-2026-24749
Received Received - Intake
Access Grant Bypass in Silverstripe Assets Module Files

Publication date: 2026-04-16

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
The Silverstripe Assets Module is a required component of Silverstripe Framework. In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered in templates or otherwise accessed via DBFile::getURL() or DBFile::getSourceURL() incorrectly add an access grant to the current session, which bypasses file permissions. This usually happens when creating an image variant, for example using a manipulation method like ScaleWidth() or Convert(). Note that if developers use DBFile directly in the $db configuration for a DataObject class that doesn't subclass File, and if they were setting the visibility of those files to "protected", those files will now need an explicit access grant to be accessed. If developers do not want to explicitly provide access grants for these files in their apps (i.e. they want these files to be accessible by default), they should use the "public" visibility. This issue has been fixed in versions 2.4.5 and 3.1.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24749
EUVD
EUVD-2026-23275
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
silverstripe assets_module to 3.1.2 (inc)
silverstripe assets_module to 2.4.5|end_including=3.1.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Silverstripe Assets Module versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2. When images are rendered in templates or accessed via DBFile::getURL() or DBFile::getSourceURL(), an access grant is incorrectly added to the current session. This bypasses file permissions, allowing access to files that should be protected.

This typically happens when creating an image variant using manipulation methods like ScaleWidth() or Convert(). Additionally, if developers use DBFile directly in the $db configuration for a DataObject class that does not subclass File and set file visibility to "protected", those files now require explicit access grants to be accessed. Without explicit grants, these files may be inaccessible unless their visibility is set to "public".

The issue was fixed in versions 2.4.5 and 3.1.3 of the Silverstripe Assets Module.

Impact Analysis

This vulnerability can lead to unauthorized access to protected image files by bypassing file permission controls. An attacker or unauthorized user could gain access to files that should be restricted, potentially exposing sensitive or private images.

If developers do not explicitly manage access grants for files configured with "protected" visibility, legitimate users might also face access issues, causing disruption in application functionality.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the Silverstripe Assets Module to version 2.4.5 or later, or to version 3.1.3 or later if you are using the 3.x series.

Additionally, if your application uses DBFile directly in the $db configuration for a DataObject class that does not subclass File and sets file visibility to "protected", you will need to explicitly provide access grants for those files.

If you prefer files to be accessible by default without explicit access grants, consider setting the visibility of those files to "public".

Compliance Impact

This vulnerability allows images accessed via certain methods to incorrectly add an access grant to the current session, bypassing file permissions. This could lead to unauthorized access to protected files.

Such unauthorized access to protected files may impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

However, the provided information does not explicitly discuss the impact on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24749. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart