CVE-2026-24749
published 2026-04-16CVE-2026-24749: The Silverstripe Assets Module is a required component of Silverstripe Framework. In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered in…
PriorityP433medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.40%
31.7th percentile
The Silverstripe Assets Module is a required component of Silverstripe Framework. In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered in templates or otherwise accessed via DBFile::getURL() or DBFile::getSourceURL() incorrectly add an access grant to the current session, which bypasses file permissions. This usually happens when creating an image variant, for example using a manipulation method like ScaleWidth() or Convert(). Note that if developers use DBFile directly in the $db configuration for a DataObject class that doesn't subclass File, and if they were setting the visibility of those files to "protected", those files will now need an explicit access grant to be accessed. If developers do not want to explicitly provide access grants for these files in their apps (i.e. they want these files to be accessible by default), they should use the "public" visibility. This issue has been fixed in versions 2.4.5 and 3.1.3.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| silverstripe | assets | >= 0 < 2.4.5 | 2.4.5 |
| silverstripe | assets | >= 3.0.0 < 3.1.3 | 3.1.3 |
| silverstripe | silverstripe-assets | < 2.4.5 | 2.4.5 |
| silverstripe | silverstripe-assets | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Silverstripe Assets Module has a DBFile::getURL() permission bypass
ghsa·2026-04-16
CVE-2026-24749 [MEDIUM] CWE-266 Silverstripe Assets Module has a DBFile::getURL() permission bypass
Silverstripe Assets Module has a DBFile::getURL() permission bypass
### Impact
Images rendered in templates or otherwise accessed via `DBFile::getURL()` or `DBFile::getSourceURL()` incorrectly add an access grant to the current session, which bypasses file permissions.
This usually happens when creating an image variant, for example using a manipulation method like `ScaleWidth()` or `Convert()`.
Note that if you use `DBFile` directly in the `$db` configuration for a `DataObject` class that doesn't subclass `File`, and if you were setting the visibility of those files to "protected", those files will now need an explicit access grant to be accessed. If you do not want to explicitly provide access grants for these files (i.e. you want these files to be accessible by default), you should
VulDB
SilverStripe Assets Module up to 2.4.4/3.1.2 getSourceURL authorization (GHSA-jgcf-rf45-2f8v)
vuldb·2026-04-16·CVSS 5.3
CVE-2026-24749 [MEDIUM] SilverStripe Assets Module up to 2.4.4/3.1.2 getSourceURL authorization (GHSA-jgcf-rf45-2f8v)
A vulnerability identified as problematic has been detected in SilverStripe Assets Module up to 2.4.4/3.1.2. The impacted element is the function DBFile::getURL/DBFile::getSourceURL. The manipulation leads to incorrect authorization.
This vulnerability is uniquely identified as CVE-2026-24749. The attack is possible to be carried out remotely. No exploit exists.
You should upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-16
Published