Sharp, a Laravel content management framework, exposes a generic download endpoint that authorizes only the supplied entity instance but then reads the requested storage disk and path directly from request parameters. Because the storage object is not bound to the authorized entity, an authenticated Sharp user who can view a record may use that record as an authorization anchor to download unrelated objects from configured Laravel Storage disks. The confirmed impact is the confidential disclosure of these unrelated objects. The vulnerability is a form of improper authorization (CWE‑639) and does not provide arbitrary host filesystem access outside the configured disk roots. Based on the description, it is inferred that the attack requires an authenticated session with permission to view at least one valid record; no privilege escalation or remote code execution is involved.

The affected product is code16:Sharp, a Laravel package. Versions prior to 9.22.0 are vulnerable. The fix is included in Sharp 9.22.0 and later. Adjustments to user permissions or limiting download access may help mitigate the issue without patching.

The CVSS score of 7.7 indicates high severity. EPSS is not available, so exploitation likelihood is unknown, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a user who has legitimate view permissions on one Sharp entity exploiting the generic download endpoint to retrieve unrelated storage objects. The absence of a KEV listing and lack of an EPSS score suggest the attack surface is limited to authenticated users within environments that use Sharp and have exposed storage disks.