CVE-2026-24749
Access Grant Bypass in Silverstripe Assets Module Files
Publication date: 2026-04-16
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| silverstripe | assets_module | to 3.1.2 (inc) |
| silverstripe | assets_module | to 2.4.5|end_including=3.1.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows images accessed via certain methods to incorrectly add an access grant to the current session, bypassing file permissions. This could lead to unauthorized access to protected files.
Such unauthorized access to protected files may impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.
However, the provided information does not explicitly discuss the impact on compliance with these standards.
Can you explain this vulnerability to me?
The vulnerability exists in the Silverstripe Assets Module versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2. When images are rendered in templates or accessed via DBFile::getURL() or DBFile::getSourceURL(), an access grant is incorrectly added to the current session. This bypasses file permissions, allowing access to files that should be protected.
This typically happens when creating an image variant using manipulation methods like ScaleWidth() or Convert(). Additionally, if developers use DBFile directly in the $db configuration for a DataObject class that does not subclass File and set file visibility to "protected", those files now require explicit access grants to be accessed. Without explicit grants, these files may be inaccessible unless their visibility is set to "public".
The issue was fixed in versions 2.4.5 and 3.1.3 of the Silverstripe Assets Module.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to protected image files by bypassing file permission controls. An attacker or unauthorized user could gain access to files that should be restricted, potentially exposing sensitive or private images.
If developers do not explicitly manage access grants for files configured with "protected" visibility, legitimate users might also face access issues, causing disruption in application functionality.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the Silverstripe Assets Module to version 2.4.5 or later, or to version 3.1.3 or later if you are using the 3.x series.
Additionally, if your application uses DBFile directly in the $db configuration for a DataObject class that does not subclass File and sets file visibility to "protected", you will need to explicitly provide access grants for those files.
If you prefer files to be accessible by default without explicit access grants, consider setting the visibility of those files to "public".