{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/authenticated-disclosure/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["composer/code16/sharp","Laravel Storage"],"_cs_severities":["high"],"_cs_tags":["authenticated-disclosure","web-application","laravel","sharp"],"_cs_type":"advisory","_cs_vendors":["Laravel"],"content_html":"\u003cp\u003eThe Sharp package for Laravel exposes a generic download endpoint that improperly authorizes access to storage objects. An authenticated user who has access to at least one valid Sharp entity instance can exploit this vulnerability (CVE-2026-44692) to download unrelated files from Laravel Storage disks. The application authorizes based on the Sharp entity instance, but then reads the storage \u003ccode\u003edisk\u003c/code\u003e and \u003ccode\u003epath\u003c/code\u003e directly from the request parameters, meaning there\u0026rsquo;s no binding between the authorized entity and the requested storage object. This allows attackers to bypass intended access controls and potentially access sensitive files stored on configured Laravel Storage disks. Successful exploitation requires a valid Sharp session and view access to one valid entity. Versions prior to 9.22.0 are affected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Sharp application with valid credentials.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a valid Sharp entity instance to which they have view access.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a request to the \u003ccode\u003e/sharp/{globalFilter}/download/{entityKey}/{instanceId?}\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003edisk\u003c/code\u003e and \u003ccode\u003epath\u003c/code\u003e parameters in the request to point to a different file within the configured Laravel Storage disks.\u003c/li\u003e\n\u003cli\u003eThe application authorizes the request based on the valid Sharp entity instance, but doesn\u0026rsquo;t validate the requested \u003ccode\u003edisk\u003c/code\u003e or \u003ccode\u003epath\u003c/code\u003e against that instance.\u003c/li\u003e\n\u003cli\u003eThe application retrieves the file specified by the manipulated \u003ccode\u003edisk\u003c/code\u003e and \u003ccode\u003epath\u003c/code\u003e parameters from the Laravel Storage disk.\u003c/li\u003e\n\u003cli\u003eThe application sends the contents of the unrelated file to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to potentially sensitive information, such as backups, invoices, or internal documents.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-44692 can lead to the authenticated disclosure of unrelated objects from configured Laravel Storage disks. Exposed files may include exports, backups, invoices, internal documents, uploads belonging to other records, tenant-specific data, or operational files stored on private application disks. The severity of the impact depends on the sensitivity of the data stored on the affected Laravel Storage disks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to composer/code16/sharp version 9.22.0 or later, which includes a fix for CVE-2026-44692.\u003c/li\u003e\n\u003cli\u003eRestrict \u003ccode\u003edownloads.allowed_disks\u003c/code\u003e to the smallest possible set of disks required by Sharp downloads, as mentioned in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Sharp Laravel Storage Download Endpoint Abuse\u0026rdquo; to identify requests that may be exploiting this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to the \u003ccode\u003e/sharp/{globalFilter}/download/{entityKey}/{instanceId?}\u003c/code\u003e endpoint where the \u003ccode\u003edisk\u003c/code\u003e or \u003ccode\u003epath\u003c/code\u003e parameters deviate significantly from expected values.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T18:03:41Z","date_published":"2026-05-15T18:03:41Z","id":"https://feed.craftedsignal.io/briefs/2026-05-sharp-laravel-storage-disclosure/","summary":"An authenticated Sharp user with view access to at least one valid Sharp entity instance can download unrelated files from configured Laravel Storage disks by manipulating the `disk` and `path` parameters in the generic download endpoint, potentially exposing sensitive data like backups and internal documents; this vulnerability is tracked as CVE-2026-44692.","title":"Authenticated Sharp Users Can Download Unrelated Laravel Storage Objects","url":"https://feed.craftedsignal.io/briefs/2026-05-sharp-laravel-storage-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed — Authenticated-Disclosure","version":"https://jsonfeed.org/version/1.1"}