VDB
KO

DRUPAL-CORE-2026-010

Details

The Image module allows you to define and configure image fields.

The module doesn't sufficiently check access to image style derivatives when those files are served via a file stream other than `private://`.

This vulnerability is mitigated by the fact that Drupal must be configured to use a contributed (non-core) file scheme to serve private derived images.

Information disclosure issues like this one are not generally given security advisories (as described in [PSA-2023-07-12)](https://www.drupal.org/psa-2023-07-12)). This fix is provided as a hardening. Contributed modules implementing custom stream wrappers may need to add similar hardenings.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / drupal/core
Introduced in: 0 Fixed in: 10.6.13
Fix composer require drupal/core:^10.6.13

References