Skip to main content

Sharp CVE-2026-44692

| EUVDEUVD-2026-36118 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-15 https://github.com/code16/sharp GHSA-748w-hm6r-qc7v
7.7
CVSS 3.1 · Vendor: https://github.com/code16/sharp
Share

Severity by source

Vendor (https://github.com/code16/sharp) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from Vendor (https://github.com/code16/sharp) · only source for this CVE.

CVSS VectorVendor: https://github.com/code16/sharp

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 15, 2026 - 19:00 vuln.today
Analysis Generated
May 15, 2026 - 19:00 vuln.today

DescriptionCVE.org

Sharp exposes a generic download endpoint that authorizes access only to the supplied Sharp entity instance, but then reads the target storage disk and path from request parameters.

Because the requested storage object is not bound to the authorized entity instance, an authenticated Sharp user who can view one valid record may use that record as an authorization anchor to download unrelated disk-relative objects from configured Laravel Storage disks.

The confirmed impact is authenticated disclosure of unrelated objects from configured Laravel Storage disks. This issue does not imply arbitrary host filesystem access outside configured Laravel Storage disk roots.

Impact

An authenticated Sharp user with view access to at least one valid Sharp entity instance may be able to download unrelated files from configured Laravel Storage disks by supplying a different disk and path to the generic download endpoint.

Depending on the application, exposed files may include exports, backups, invoices, internal documents, uploads belonging to other records, tenant-specific data, or operational files stored on private application disks.

The attacker does not need authorization to the storage object being downloaded. They only need an authenticated Sharp session and view access to one valid entity instance that can be used as the authorization anchor.

Attack requirements

An attacker must have:

  • an authenticated Sharp session
  • view access to at least one valid Sharp entity instance

The attacker does not need authorization to the storage object being downloaded.

Affected endpoint

GET /sharp/{globalFilter}/download/{entityKey}/{instanceId?}

Patches

After the fix, requests to the generic download endpoint without a valid signature are rejected. Modifying the disk, path, entityKey, or instanceId parameters of a Sharp-generated download URL invalidates the signature and prevents the modified request from being used to download another storage object.

Workarounds

If upgrading is not immediately possible, applications should restrict downloads.allowed_disks to the smallest possible set of disks required by Sharp downloads.

Applications should also avoid storing sensitive unrelated files on disks reachable by Sharp’s generic download endpoint, and should add application-level controls to ensure that requested files are bound to the authorized record.

Disk allowlisting reduces the reachable storage surface, but it does not fully fix the missing per-record file binding. Upgrading to a patched version is recommended.

Resources

  • Laravel signed URLs documentation: https://laravel.com/docs/urls#signed-urls
  • CWE-639: https://cwe.mitre.org/data/definitions/639.html

AnalysisAI

Authenticated users in Sharp (a Laravel admin framework) can bypass authorization to download arbitrary files from any configured Laravel Storage disk through the generic download endpoint. The vulnerability allows authenticated users with view access to any single Sharp entity to download unrelated files including backups, invoices, internal documents, and tenant-specific data by manipulating the disk and path parameters. Sharp v9.22.0 fixes this by implementing signed URLs that prevent parameter tampering.

Technical ContextAI

Sharp is a content management framework for Laravel applications. The vulnerability exists in Sharp's generic download endpoint at GET /sharp/{globalFilter}/download/{entityKey}/{instanceId?} which performs authorization checks against the supplied entity instance but then reads the actual storage disk and path from untrusted request parameters. This represents a CWE-639 (Authorization Bypass Through User-Controlled Key) vulnerability where the authorization decision is decoupled from the resource being accessed. The affected component is identified by CPE pkg:composer/code16_sharp.

RemediationAI

Upgrade Sharp to version 9.22.0 or later which implements signed URLs to prevent parameter tampering on the download endpoint. The patch ensures that modifying the disk, path, entityKey, or instanceId parameters invalidates the signature and blocks unauthorized downloads. For immediate mitigation before upgrading, restrict the downloads.allowed_disks configuration to the minimum required set of disks and avoid storing sensitive unrelated files on Sharp-accessible disks. Note that disk allowlisting only reduces exposure surface area and does not fix the underlying authorization bypass - upgrading remains essential. Vendor advisory available at https://github.com/code16/sharp/security/advisories/GHSA-748w-hm6r-qc7v.

Share

CVE-2026-44692 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy