CVE-2026-24749 DBFile permission bypass

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: Medium (?)
Identifier:: CVE-2026-24749
Versions Affected:: silverstripe/assets: <2.4.5, >=3.0.0 <3.1.3
Versions Fixed:: silverstripe/assets: 2.4.5, 3.1.3
Release Date:: 2026-04-16

Images rendered in templates or otherwise accessed via DBFile::getURL() or DBFile::getSourceURL() incorrectly add an access grant to the current session, which bypasses file permissions.

Base CVSS: 5.3
Reported by: Restruct web & apps