Security Issue: Attachments uploaded to Expense Claims Visible to public

Hi there,

It seems people with the direct link can download / view attachments that would have been otherwise not shown to users.

For example, if you uploaded an attachment to EXP00001 and the direct link to the file becomes

Anyone who knows the above URL would be able to access the attachment directly without any authentication. Suggest to check sessions when accessing the /files/ and also check the user’s permission to whether he/she has access to that specific record, e.g. expense claim.

Tested on ERPNext: v5.6.2


Already fixed in the latest with private files.

So does marking an attachment as private mean that it is only available to the submitting user, or does it mean that it is available to any authenticated user?

Hi @PeterDF,

as far as it was any authenticated user that has the right to view a document and it´s attachments by permission rules

1 Like