HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-44692Published Modified CNA GitHub_M

CVE-2026-44692: Authenticated Sharp users can download unrelated Laravel Storage objects through the generic download endpoint

Sharp is a content management framework built for Laravel as a package. Prior to version 9.22.0, Sharp exposes a generic download endpoint that authorizes access only to the supplied Sharp entity instance, but then reads the target storage disk and path from request parameters. Because the requested storage object is not bound to the authorized entity instance, an authenticated Sharp user who can view one valid record may use that record as an authorization anchor to download unrelated disk-relative objects from configured Laravel Storage disks. The confirmed impact is authenticated disclosure of unrelated objects from configured Laravel Storage disks. This issue does not imply arbitrary host filesystem access outside configured Laravel Storage disk roots. This issue has been patched in version 9.22.0.

Metrics

CVSS v3.1
7.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an insecure direct object reference (IDOR) vulnerability in Code16 Sharp, a Laravel content management framework. An attacker who holds any valid Sharp account can reach the generic file download endpoint over the network and supply arbitrary storage disk and path parameters, using a legitimately authorized entity record as an authorization anchor to bypass the intended access control. Successful exploitation lets the attacker read any file stored on configured Laravel Storage disks that the application can reach, regardless of which entity or record that file belongs to. A fix was introduced in Sharp version 9.22.0, and a patched-image rebuild at that version is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle the code16/sharp package at a vulnerable version.

Available
Triage

HarborGuard scores this finding at CVSS 7.7 HIGH (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) and is capable of weighting it against each environment's compliance policy before routing the alert to the appropriate team inbox within the customer organization.

Available
Patch

A patched-image rebuild pinned to Sharp 9.22.0 is available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard is capable of performing the rebuild, running a regression test suite, and opening a PR against affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The Sharp download endpoint is exposed over the network, so an attacker must be able to reach the application's HTTP interface to send crafted requests.

  • AuthenticationRequired

    The attacker must hold a valid low-privilege Sharp account; any authenticated user with access to at least one valid entity record is sufficient to anchor the bypass.

  • Victim interactionNot required

    No victim action is needed; the attacker sends requests directly to the download endpoint without involving another user.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: once the attacker has a valid session and a known entity record, no race conditions or special environmental factors are required.

Blast Radius

  • Reads arbitrary files stored on any configured Laravel Storage disk, including uploaded documents, exported reports, and other application-managed files that belong to unrelated entities or tenants.
  • Discloses data across logical access boundaries within the same application, meaning one tenant or user account can reach files that should be scoped to a different account.
  • Does not grant write or delete access to storage objects, and does not extend outside the root paths of configured Laravel Storage disks to the broader host filesystem.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-44692 is active the moment the advisory is ingested, with image scans matching any container that packages code16/sharp below version 9.22.0. A patched-image rebuild at 9.22.0 is available for affected environments. For customers who opt into auto-remediation, HarborGuard is capable of rebuilding the image, executing the configured regression suite, and opening a PR against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR in environments with auto-remediation enabled is around 90 minutes. Where compliance policy requires manual review before merge, HarborGuard routes the rebuild PR and the full finding detail to the designated owner inbox so no manual triage step is missed.

See how HarborGuard automates this
Affected packages
  • code16 / sharp
    < 9.22.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
References