Wednesday, Jul 20th, 2022
Advisory ID: 
Security risk: 
Moderately Critical
Information Disclosure
Versions affected: 
  • Backdrop Core 1.22.x versions prior to 1.22.1
  • Backdrop Core 1.21.x versions prior to 1.21.6

Backdrop versions 1.20 and prior do not receive security coverage.


In some situations, the Image module does not correctly check access to image files that are not stored in the standard public files directory when generating derivative images using the image styles system.

Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability.

Some sites may require configuration changes following this security release. Review the Backdrop release notes if you have issues accessing files or image styles after updating.


Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.22.1 release page. See the update instructions, if needed.

Fixed By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive security announcements for core and contrib projects"