CVE-2026-44692: Sharp Laravel Package Authenticated Path Traversal and Unauthorized File Disclosure
Sharp, a Laravel-based content management framework, contains a path traversal vulnerability in its file download functionality. An authenticated user who has legitimate access to view one record in Sharp can exploit a flaw in the download endpoint to retrieve unrelated files from any configured Laravel Storage disk. The vulnerability requires an attacker to be already logged into Sharp, but once authenticated, they can bypass the authorization checks that should restrict downloads to files associated with their authorized records. This affects confidentiality but not integrity or availability.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.7 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-639
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
Sharp is a content management framework built for Laravel as a package. Prior to version 9.22.0, Sharp exposes a generic download endpoint that authorizes access only to the supplied Sharp entity instance, but then reads the target storage disk and path from request parameters. Because the requested storage object is not bound to the authorized entity instance, an authenticated Sharp user who can view one valid record may use that record as an authorization anchor to download unrelated disk-relative objects from configured Laravel Storage disks. The confirmed impact is authenticated disclosure of unrelated objects from configured Laravel Storage disks. This issue does not imply arbitrary host filesystem access outside configured Laravel Storage disk roots. This issue has been patched in version 9.22.0.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
Sharp's generic download endpoint validates that an authenticated user can access a specific Sharp entity instance, but fails to bind the requested storage disk and path to that authorized entity. The authorization check examines the entity instance only; the subsequent storage lookup accepts disk and path parameters directly from the request without validating that those resources belong to the authorized entity. This is a classic authorization bypass where the authentication anchor (the entity) is disconnected from the resource being accessed (arbitrary storage objects). The vulnerability is scoped to configured Laravel Storage disk roots and does not permit filesystem access outside those boundaries.
Business impact
Organizations deploying Sharp for content management face potential exposure of sensitive files stored on configured Laravel Storage disks—such as user data, documents, configuration artifacts, or other application assets. An attacker with any valid Sharp user account (including lower-privileged users) can enumerate and download files not intended for their access, leading to unauthorized information disclosure. This is particularly concerning in multi-tenant or role-separated environments where different users should only access their own data. The risk is heightened if backup files, logs, or other sensitive artifacts are stored on the same Laravel Storage disks as application data.
Affected systems
The vulnerability affects Sharp versions prior to 9.22.0. Any Laravel application using Sharp for its administrative or content management interface is at risk if running an affected version. The scope is limited to environments where one or more authenticated Sharp users have access to at least one valid record; the attacker does not need to be an administrator.
Exploitability
Exploitability is straightforward for an authenticated attacker. The vulnerability requires valid Sharp credentials and knowledge of or ability to discover storage disk names and file paths. An attacker can perform requests directly to the download endpoint, specifying arbitrary storage disks and paths while using their valid authentication. No special network access, user interaction, or complex attack chains are required. The main friction is discovering which files exist on the configured storage disks, though this can be inferred from error messages, application behavior, or reconnaissance.
Remediation
Upgrade Sharp to version 9.22.0 or later. The patch binds the requested storage resource to the authorized entity instance, ensuring that only files associated with an entity that the user is authorized to access can be downloaded. No workarounds are available for earlier versions; upgrading is the definitive fix.
Patch guidance
Review your Laravel application's composer.json or lock file to identify the current Sharp version. If the version is earlier than 9.22.0, update the package via composer. Test the upgrade in a non-production environment first to verify compatibility with your Sharp configuration and custom implementations. After deployment, verify that file downloads through Sharp's UI continue to function as expected and that unauthorized file access is no longer possible.
Detection guidance
Monitor Sharp download endpoint requests for suspicious patterns: requests to the download endpoint originating from users attempting to access storage paths outside their expected data scope, repeated requests with varying disk or path parameters, or downloads of system or configuration files. Log all download endpoint accesses and cross-reference them against which entities and users initiated them. If your application logs Laravel Storage disk access, correlate those logs with Sharp authentication sessions to identify unauthorized file retrievals. Look for error messages in application logs indicating invalid or unexpected path references.
Why prioritize this
This vulnerability rates HIGH (CVSS 7.7) and should be prioritized for immediate patching because it enables authenticated users to exfiltrate confidential data from shared storage infrastructure. The low attack complexity and lack of user interaction required, combined with high confidentiality impact and cross-boundary data access (S:C), make this a significant risk even though it requires valid credentials. Organizations should prioritize this upgrade within their standard critical-patch timelines.
Risk score, explained
The CVSS 7.7 score reflects a HIGH-severity vulnerability: network-accessible, low attack complexity, requires low privilege (authenticated user status), no user interaction needed, and causes complete confidentiality compromise. The scope is changed (S:C) because the attacker can access resources beyond their authorized entity boundary. Integrity and availability are not impacted. The high score is justified given that any authenticated Sharp user—not just administrators—can trigger the vulnerability.
Frequently asked questions
Do I need administrator privileges in Sharp to exploit this vulnerability?
No. Any authenticated Sharp user who can view at least one valid Sharp record can exploit this vulnerability. Lower-privileged users are equally able to extract files from configured storage disks.
Can an attacker gain access to files outside Laravel Storage disk roots?
No. The vulnerability is scoped to files within the roots of Laravel Storage disks configured in your application. System files outside those storage boundaries are not accessible.
What should I do if I suspect unauthorized downloads have already occurred?
Audit your Sharp download endpoint logs and Laravel Storage access logs for evidence of file downloads that correspond to users other than their authorized records. Review access logs for the time period before this vulnerability was disclosed and after your Sharp installation date. Consider whether any sensitive files on your configured storage disks may have been exposed and take appropriate incident response action.
Are there any configuration changes I should make after upgrading?
After upgrading to 9.22.0, no special configuration changes are required. Review your Sharp user roles and permissions to ensure that users have the minimum necessary access to records. If you use custom download implementations or extensions, verify that they also properly bind storage resources to authorized entities.
This analysis is provided for informational purposes to aid security professionals in vulnerability management and risk assessment. The technical details are derived from the published CVE description and do not constitute a comprehensive security audit. Verify patch versions, vendor advisories, and affected product versions directly with Sharp's official documentation and your application's dependency management records before taking remediation action. SEC.co does not provide legal advice or guarantees regarding patch effectiveness or exploit availability. Organizations are responsible for testing patches in their environment and assessing business risk before deployment. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-14772HIGHABB T-MAC Plus Authorization Bypass (CVSS 8.8)
- CVE-2026-41084HIGHApache Airflow Task Instances API Authorization Bypass
- CVE-2026-42863HIGHFlowiseAI Mass Assignment Vulnerability in Chatflow Update Endpoint
- CVE-2026-45281HIGHNextcloud Calendar Authorization Bypass – Patched in 32.0.9 and 33.0.3
- CVE-2026-45743HIGHTermix Authorization Bypass in SSH File Manager
- CVE-2026-46414HIGHMicrosoft UFO WebSocket Authentication Bypass and Role Spoofing
- CVE-2026-46558HIGHPlane Cross-Workspace Authorization Bypass (v1.3.1 Patch)
- CVE-2026-49141HIGHWACRM Multi-Tenant Authorization Bypass Vulnerability