Description
The Silverstripe Assets Module is a required component of Silverstripe Framework. In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered in templates or otherwise accessed via DBFile::getURL() or DBFile::getSourceURL() incorrectly add an access grant to the current session, which bypasses file permissions. This usually happens when creating an image variant, for example using a manipulation method like ScaleWidth() or Convert(). Note that if developers use DBFile directly in the $db configuration for a DataObject class that doesn't subclass File, and if they were setting the visibility of those files to "protected", those files will now need an explicit access grant to be accessed. If developers do not want to explicitly provide access grants for these files in their apps (i.e. they want these files to be accessible by default), they should use the "public" visibility. This issue has been fixed in versions 2.4.5 and 3.1.3.
Published: 2026-04-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Permission Bypass
Action: Patch Upgrade
AI Analysis

Impact

In Silverstripe Assets Module versions before 2.4.5 and prior to 3.1.3, the method that generates URLs for database files does not respect the file’s visibility setting when creating image variants. As a result, the system creates an implicit session grant that allows any user to download the file, even when the file is marked as "protected". This flaw maps to CWE-863, indicating a breach of access control. The consequence is that sensitive files can be accessed by unauthorized users, undermining confidentiality and potentially enabling further exploitation if the files contain privileged data.

Affected Systems

Any installation of the Silverstripe Framework that includes the Assets Module with a version earlier than 2.4.5 or between 3.0.0‑rc1 and 3.1.2 is vulnerable. The issue manifests when templates render images or when image manipulation functions such as ScaleWidth() or Convert() are called. Systems that define DBFile fields in custom DataObject classes without subclassing File and set their visibility to "protected" are also at risk, since the implicit grant can expose those files as well.

Risk and Exploitability

The CVSS base score of 5.3 categorizes the issue as medium severity. No EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog, indicating that there is no known widespread exploitation. However, because the flaw is triggered by common image processing operations that occur during normal site operation, an attacker who can influence image manipulation requests—such as through crafted URLs or template injection—could easily cause the system to grant unauthorized access to protected files. The lack of explicit access controls on indirectly accessed files or database fields further lowers the barrier to exploitation.

Generated by OpenCVE AI on April 16, 2026 at 18:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Silverstripe Assets Module to version 2.4.5 or newer, or to 3.1.3 or newer, to eliminate the implicit grant behavior.
  • If an upgrade cannot be performed immediately, change the visibility of all DBFile objects to "public" so that files are accessible by default and no implicit grants are created.
  • For legacy DBFile usage in custom DataObject classes, either convert those fields to subclass File or explicitly grant access to protected files; do not rely on the default grant mechanism.

Generated by OpenCVE AI on April 16, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jgcf-rf45-2f8v Silverstripe Assets Module has a DBFile::getURL() permission bypass
History

Thu, 16 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Silverstripe
Silverstripe silverstripe
Vendors & Products Silverstripe
Silverstripe silverstripe

Thu, 16 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description The Silverstripe Assets Module is a required component of Silverstripe Framework. In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered in templates or otherwise accessed via DBFile::getURL() or DBFile::getSourceURL() incorrectly add an access grant to the current session, which bypasses file permissions. This usually happens when creating an image variant, for example using a manipulation method like ScaleWidth() or Convert(). Note that if developers use DBFile directly in the $db configuration for a DataObject class that doesn't subclass File, and if they were setting the visibility of those files to "protected", those files will now need an explicit access grant to be accessed. If developers do not want to explicitly provide access grants for these files in their apps (i.e. they want these files to be accessible by default), they should use the "public" visibility. This issue has been fixed in versions 2.4.5 and 3.1.3.
Title Silverstripe Assets Module has a DBFile::getURL() permission bypass
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Silverstripe Silverstripe
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T17:08:59.133Z

Reserved: 2026-01-26T19:06:16.060Z

Link: CVE-2026-24749

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T18:16:44.610

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-24749

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:58:23Z

Weaknesses