When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass.
[
{
"product": "Drupal Core",
"vendor": "Drupal",
"versions": [
{
"status": "affected",
"version": "8.2.x versions before 8.2.7"
}
]
}
]