CVE-2026-24749: Silverstripe Assets Module has a DBFile::getURL() permission bypass
(updated )
Images rendered in templates or otherwise accessed via DBFile::getURL() or DBFile::getSourceURL() incorrectly add an access grant to the current session, which bypasses file permissions.
This usually happens when creating an image variant, for example using a manipulation method like ScaleWidth() or Convert().
Note that if you use DBFile directly in the $db configuration for a DataObject class that doesn’t subclass File, and if you were setting the visibility of those files to “protected”, those files will now need an explicit access grant to be accessed. If you do not want to explicitly provide access grants for these files (i.e. you want these files to be accessible by default), you should use the “public” visibility.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/assets/CVE-2026-24749.yaml
- github.com/advisories/GHSA-jgcf-rf45-2f8v
- github.com/silverstripe/silverstripe-assets
- github.com/silverstripe/silverstripe-assets/security/advisories/GHSA-jgcf-rf45-2f8v
- nvd.nist.gov/vuln/detail/CVE-2026-24749
- www.silverstripe.org/download/security-releases/cve-2026-24749
Code Behaviors & Features
Detect and mitigate CVE-2026-24749 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →