{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24749", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-26T19:06:16.060Z", "datePublished": "2026-04-16T17:08:59.133Z", "dateUpdated": "2026-04-16T17:08:59.133Z"}, "containers": {"cna": {"title": "Silverstripe Assets Module has a DBFile::getURL() permission bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/silverstripe/silverstripe-assets/security/advisories/GHSA-jgcf-rf45-2f8v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/silverstripe/silverstripe-assets/security/advisories/GHSA-jgcf-rf45-2f8v"}, {"name": "https://www.silverstripe.org/download/security-releases/cve-2026-24749", "tags": ["x_refsource_MISC"], "url": "https://www.silverstripe.org/download/security-releases/cve-2026-24749"}], "affected": [{"vendor": "silverstripe", "product": "silverstripe-assets", "versions": [{"version": "< 2.4.5", "status": "affected"}, {"version": ">= 3.0.0-rc1, < 3.1.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-16T17:08:59.133Z"}, "descriptions": [{"lang": "en", "value": "The Silverstripe Assets Module is a required component of Silverstripe Framework. In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered in templates or otherwise accessed via DBFile::getURL() or DBFile::getSourceURL() incorrectly add an access grant to the current session, which bypasses file permissions. This usually happens when creating an image variant, for example using a manipulation method like ScaleWidth() or Convert(). Note that if developers use DBFile directly in the $db configuration for a DataObject class that doesn't subclass File, and if they were setting the visibility of those files to \"protected\", those files will now need an explicit access grant to be accessed. If developers do not want to explicitly provide access grants for these files in their apps (i.e. they want these files to be accessible by default), they should use the \"public\" visibility. This issue has been fixed in versions 2.4.5 and 3.1.3."}], "source": {"advisory": "GHSA-jgcf-rf45-2f8v", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Silverstripe Assets Module is a required component of Silverstripe Framework. In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered in templates or otherwise accessed via DBFile::getURL() or DBFile::getSourceURL() incorrectly add an access grant to the current session, which bypasses file permissions. This usually happens when creating an image variant, for example using a manipulation method like ScaleWidth() or Convert(). Note that if developers use DBFile directly in the $db configuration for a DataObject class that doesn't subclass File, and if they were setting the visibility of those files to \"protected\", those files will now need an explicit access grant to be accessed. If developers do not want to explicitly provide access grants for these files in their apps (i.e. they want these files to be accessible by default), they should use the \"public\" visibility. This issue has been fixed in versions 2.4.5 and 3.1.3."}], "id": "CVE-2026-24749", "lastModified": "2026-04-16T18:16:44.610", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-16T18:16:44.610", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/silverstripe/silverstripe-assets/security/advisories/GHSA-jgcf-rf45-2f8v"}, {"source": "security-advisories@github.com", "url": "https://www.silverstripe.org/download/security-releases/cve-2026-24749"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.4.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0-rc1,3.1.3)"}}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 88.0, "source": "matching"}]}, "original": {"product": "silverstripe-assets", "source": "cna", "vendor": "silverstripe"}, "product": "silverstripe", "vendor": "silverstripe"}], "analysis": {"en": {"generated_at": "2026-04-16T18:29:48.715348+00:00", "value": {"mitigation_remediation": ["Upgrade Silverstripe Assets Module to version 2.4.5 or newer, or to 3.1.3 or newer, to eliminate the implicit grant behavior.", "If an upgrade cannot be performed immediately, change the visibility of all DBFile objects to \"public\" so that files are accessible by default and no implicit grants are created.", "For legacy DBFile usage in custom DataObject classes, either convert those fields to subclass File or explicitly grant access to protected files; do not rely on the default grant mechanism."], "summary": {"action": "Patch Upgrade", "impact": "Permission Bypass"}, "threat_synthesis": {"affected_systems": "Any installation of the Silverstripe Framework that includes the Assets Module with a version earlier than 2.4.5 or between 3.0.0\u2011rc1 and 3.1.2 is vulnerable. The issue manifests when templates render images or when image manipulation functions such as ScaleWidth() or Convert() are called. Systems that define DBFile fields in custom DataObject classes without subclassing File and set their visibility to \"protected\" are also at risk, since the implicit grant can expose those files as well.", "description_and_impact": "In Silverstripe Assets Module versions before 2.4.5 and prior to 3.1.3, the method that generates URLs for database files does not respect the file\u2019s visibility setting when creating image variants. As a result, the system creates an implicit session grant that allows any user to download the file, even when the file is marked as \"protected\". This flaw maps to CWE-863, indicating a breach of access control. The consequence is that sensitive files can be accessed by unauthorized users, undermining confidentiality and potentially enabling further exploitation if the files contain privileged data.", "risk_and_exploitability": "The CVSS base score of 5.3 categorizes the issue as medium severity. No EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog, indicating that there is no known widespread exploitation. However, because the flaw is triggered by common image processing operations that occur during normal site operation, an attacker who can influence image manipulation requests\u2014such as through crafted URLs or template injection\u2014could easily cause the system to grant unauthorized access to protected files. The lack of explicit access controls on indirectly accessed files or database fields further lowers the barrier to exploitation."}}}}, "created": "2026-04-16T18:30:10.539249+00:00", "updated": "2026-04-16T18:58:23.631566+00:00", "vendors": ["silverstripe", "silverstripe$PRODUCT$silverstripe"]}