No authentication required to see non public images #5158

New Issue

OVERLORD · 2026-02-05T09:45:02+03:00

OVERLORD commented

2026-02-05 09:45:02 +03:00

Originally created by @lennartdohmann on GitHub (Jan 29, 2025).

Describe the Bug

If you save a page with an uploaded image in a book and open this image via the direct link, then no authentication is required, i.e. anyone who knows, guesses or captures the link can download the private image. My Bookstack instance is private.

Steps to Reproduce

Create a private book
Create a private page in it
Upload an image
Right click image and select 'Open link in new tab'
You can copy and paste the link in any browser where you are not logged in and still have access to the image

Expected Behaviour

The image should not be publicly available since my whole Bookstack is private. No registration, no other users, only for me.

Screenshots or Additional Context

No response

Browser Details

Firefox 134.0.2 (aarch64) on MacOS Sequoia 15.1.1

Exact BookStack Version

quay.io/linuxserver.io/bookstack:24.12.20241223@sha256:d1c7c9ac3badb98582b75846db3cccb29b65dafbda2f68a33758032d7a0555b2

Originally created by @lennartdohmann on GitHub (Jan 29, 2025). ### Describe the Bug If you save a page with an uploaded image in a book and open this image via the direct link, then no authentication is required, i.e. anyone who knows, guesses or captures the link can download the private image. My Bookstack instance is private. ### Steps to Reproduce 1. Create a private book 2. Create a private page in it 3. Upload an image 4. Right click image and select 'Open link in new tab' 5. You can copy and paste the link in any browser where you are not logged in and still have access to the image ### Expected Behaviour The image should not be publicly available since my whole Bookstack is private. No registration, no other users, only for me. ### Screenshots or Additional Context _No response_ ### Browser Details Firefox 134.0.2 (aarch64) on MacOS Sequoia 15.1.1 ### Exact BookStack Version quay.io/linuxserver.io/bookstack:24.12.20241223@sha256:d1c7c9ac3badb98582b75846db3cccb29b65dafbda2f68a33758032d7a0555b2

OVERLORD added the 🐛 Bug label 2026-02-05 09:45:02 +03:00

OVERLORD closed this issue

2026-02-05 09:45:02 +03:00

OVERLORD commented

2026-02-05 09:45:04 +03:00

@ssddanbrown commented on GitHub (Jan 29, 2025):

Hi @lennartdohmann,
Please see our security docs regarding options around images:
https://www.bookstackapp.com/docs/admin/security/#securing-images

@ssddanbrown commented on GitHub (Jan 29, 2025): Hi @lennartdohmann, Please see our security docs regarding options around images: https://www.bookstackapp.com/docs/admin/security/#securing-images

OVERLORD commented

2026-02-05 09:45:05 +03:00

@lennartdohmann commented on GitHub (Jan 29, 2025):

@ssddanbrown That helps a lot. Thank u!

@lennartdohmann commented on GitHub (Jan 29, 2025): @ssddanbrown That helps a lot. Thank u!

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#5158