Authenticated Sharp Users Can Download Unrelated Laravel Storage Objects

The Sharp package for Laravel exposes a generic download endpoint that improperly authorizes access to storage objects. An authenticated user who has access to at least one valid Sharp entity instance can exploit this vulnerability (CVE-2026-44692) to download unrelated files from Laravel Storage disks. The application authorizes based on the Sharp entity instance, but then reads the storage disk and path directly from the request parameters, meaning there’s no binding between the authorized entity and the requested storage object. This allows attackers to bypass intended access controls and potentially access sensitive files stored on configured Laravel Storage disks. Successful exploitation requires a valid Sharp session and view access to one valid entity. Versions prior to 9.22.0 are affected.

Attack Chain

1. Attacker authenticates to the Sharp application with valid credentials.
2. Attacker identifies a valid Sharp entity instance to which they have view access.
3. Attacker crafts a request to the /sharp/{globalFilter}/download/{entityKey}/{instanceId?} endpoint.
4. The attacker modifies the disk and path parameters in the request to point to a different file within the configured Laravel Storage disks.
5. The application authorizes the request based on the valid Sharp entity instance, but doesn’t validate the requested disk or path against that instance.
6. The application retrieves the file specified by the manipulated disk and path parameters from the Laravel Storage disk.
7. The application sends the contents of the unrelated file to the attacker.
8. The attacker gains unauthorized access to potentially sensitive information, such as backups, invoices, or internal documents.

Impact

Successful exploitation of CVE-2026-44692 can lead to the authenticated disclosure of unrelated objects from configured Laravel Storage disks. Exposed files may include exports, backups, invoices, internal documents, uploads belonging to other records, tenant-specific data, or operational files stored on private application disks. The severity of the impact depends on the sensitivity of the data stored on the affected Laravel Storage disks.

Recommendation

• Upgrade to composer/code16/sharp version 9.22.0 or later, which includes a fix for CVE-2026-44692.
• Restrict downloads.allowed_disks to the smallest possible set of disks required by Sharp downloads, as mentioned in the advisory.
• Deploy the Sigma rule “Detect Sharp Laravel Storage Download Endpoint Abuse” to identify requests that may be exploiting this vulnerability.
• Monitor web server logs for requests to the /sharp/{globalFilter}/download/{entityKey}/{instanceId?} endpoint where the disk or path parameters deviate significantly from expected values.