CVE-2026-44692
Deferred Deferred - Pending Action

Unauthorized File Download in Sharp CMS Framework

Vulnerability report for CVE-2026-44692, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description

Sharp is a content management framework built for Laravel as a package. Prior to version 9.22.0, Sharp exposes a generic download endpoint that authorizes access only to the supplied Sharp entity instance, but then reads the target storage disk and path from request parameters. Because the requested storage object is not bound to the authorized entity instance, an authenticated Sharp user who can view one valid record may use that record as an authorization anchor to download unrelated disk-relative objects from configured Laravel Storage disks. The confirmed impact is authenticated disclosure of unrelated objects from configured Laravel Storage disks. This issue does not imply arbitrary host filesystem access outside configured Laravel Storage disk roots. This issue has been patched in version 9.22.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
laravel sharp to 9.22.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Sharp, a content management framework for Laravel, prior to version 9.22.0. Sharp exposes a generic download endpoint that authorizes access only to a specific Sharp entity instance. However, it reads the target storage disk and path from request parameters without binding the requested storage object to the authorized entity instance.

As a result, an authenticated Sharp user who can view one valid record may exploit this by using that record as an authorization anchor to download unrelated objects from configured Laravel Storage disks. This means the user can access files they should not be authorized to see, but only within the configured storage disks.

The vulnerability does not allow arbitrary access to the host filesystem outside the configured Laravel Storage disk roots. This issue was fixed in Sharp version 9.22.0.

Impact Analysis

The vulnerability allows an authenticated user with access to one valid Sharp entity record to download unrelated files from the configured Laravel Storage disks. This leads to unauthorized disclosure of potentially sensitive or confidential files stored within those disks.

Since the attacker can access files beyond their authorized entity instance, this can result in data leakage and compromise of information confidentiality.

However, the vulnerability does not allow modification or deletion of files, nor does it allow access outside the configured storage disks.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Sharp to version 9.22.0 or later, where the issue has been patched.

Compliance Impact

This vulnerability allows an authenticated Sharp user to download unrelated objects from configured Laravel Storage disks by exploiting a generic download endpoint that improperly authorizes access. The confirmed impact is the authenticated disclosure of unrelated objects, which could lead to unauthorized access to sensitive data.

Such unauthorized disclosure of data may affect compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information. If the disclosed objects contain personal or protected health information, this vulnerability could result in non-compliance due to unauthorized data exposure.

Detection Guidance

This vulnerability can be detected by monitoring requests to the Sharp generic download endpoint that include parameters specifying storage disk and path values. Suspicious activity includes authenticated users accessing files outside their authorized entity scope by manipulating these parameters.

To detect exploitation attempts, you can look for HTTP requests to the download endpoint with unusual or unexpected disk and path parameters.

Example commands to detect such activity in web server logs might include:

  • Using grep to find requests to the download endpoint with disk and path parameters: grep -i 'download' /var/log/nginx/access.log | grep -E 'disk=|path='
  • Using grep to find authenticated user requests (if user identifiers are logged) that include suspicious parameters: grep 'user_id=' /var/log/nginx/access.log | grep -E 'disk=|path='

Additionally, monitoring for access to sensitive file types (e.g., backups, exports, invoices) via these parameters can help identify exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44692. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart