—
DRUPAL-CORE-2026-010
Details
The Image module allows you to define and configure image fields.
The module doesn't sufficiently check access to image style derivatives when those files are served via a file stream other than `private://`.
This vulnerability is mitigated by the fact that Drupal must be configured to use a contributed (non-core) file scheme to serve private derived images.
Information disclosure issues like this one are not generally given security advisories (as described in [PSA-2023-07-12)](https://www.drupal.org/psa-2023-07-12)). This fix is provided as a hardening. Contributed modules implementing custom stream wrappers may need to add similar hardenings.
Are you affected?
Enter the version of the package you're using.
Affected packages
Packagist / drupal/core
Introduced in:
0 Fixed in: 10.6.13 Fix
composer require drupal/core:^10.6.13