CVE-2026-44692

CVE-2026-44692 is a high-severity security vulnerability in code16/sharp (composer), affecting versions < 9.22.0. It is fixed in 9.22.0.

Summary

Sharp exposes a generic download endpoint that authorizes access only to the supplied Sharp entity instance, but then reads the target storage disk and path from request parameters.

Because the requested storage object is not bound to the authorized entity instance, an authenticated Sharp user who can view one valid record may use that record as an authorization anchor to download unrelated disk-relative objects from configured Laravel Storage disks.

The confirmed impact is authenticated disclosure of unrelated objects from configured Laravel Storage disks. This issue does not imply arbitrary host filesystem access outside configured Laravel Storage disk roots.

Attack requirements

An attacker must have:

  • an authenticated Sharp session
  • view access to at least one valid Sharp entity instance

The attacker does not need authorization to the storage object being downloaded.

Affected endpoint

GET /sharp/{globalFilter}/download/{entityKey}/{instanceId?}

Workarounds

If upgrading is not immediately possible, applications should restrict downloads.allowed_disks to the smallest possible set of disks required by Sharp downloads.

Applications should also avoid storing sensitive unrelated files on disks reachable by Sharp’s generic download endpoint, and should add application-level controls to ensure that requested files are bound to the authorized record.

Disk allowlisting reduces the reachable storage surface, but it does not fully fix the missing per-record file binding. Upgrading to a patched version is recommended.

Resources

Impact

An authenticated Sharp user with view access to at least one valid Sharp entity instance may be able to download unrelated files from configured Laravel Storage disks by supplying a different disk and path to the generic download endpoint.

Depending on the application, exposed files may include exports, backups, invoices, internal documents, uploads belonging to other records, tenant-specific data, or operational files stored on private application disks.

The attacker does not need authorization to the storage object being downloaded. They only need an authenticated Sharp session and view access to one valid entity instance that can be used as the authorization anchor.

CVE-2026-44692 has a CVSS score of 7.7 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (9.22.0); upgrading removes the vulnerable code path.

Affected versions

code16/sharp (< 9.22.0)

Security releases

code16/sharp → 9.22.0 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

After the fix, requests to the generic download endpoint without a valid signature are rejected. Modifying the disk, path, entityKey, or instanceId parameters of a Sharp-generated download URL invalidates the signature and prevents the modified request from being used to download another storage object.

Frequently Asked Questions

  1. What is CVE-2026-44692? CVE-2026-44692 is a high-severity security vulnerability in code16/sharp (composer), affecting versions < 9.22.0. It is fixed in 9.22.0.
  2. How severe is CVE-2026-44692? CVE-2026-44692 has a CVSS score of 7.7 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of code16/sharp are affected by CVE-2026-44692? code16/sharp (composer) versions < 9.22.0 is affected.
  4. Is there a fix for CVE-2026-44692? Yes. CVE-2026-44692 is fixed in 9.22.0. Upgrade to this version or later.
  5. Is CVE-2026-44692 exploitable, and should I be worried? Whether CVE-2026-44692 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-44692 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-44692? Upgrade code16/sharp to 9.22.0 or later.

Other vulnerabilities in code16/sharp

CVE-2026-33686CVE-2026-33687CVE-2025-62798CVE-2025-61457

Stop the waste.
Protect your environment with Kodem.