fix(multiuser): validate image access in recall parameter resolution

The recall endpoint loaded image files and ran ControlNet preprocessors
on any image_name supplied in control_layers or ip_adapters without
checking that the caller could read the image.  An attacker who knew
another user's image UUID could extract dimensions and, for supported
preprocessors, mint a derived processed image they could then fetch.

Added _assert_recall_image_access() which validates read access for every
image referenced in the request before any resolution or processing
occurs.  Access is granted to the image owner, admins, or when the image
sits on a Shared/Public board.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: lstein

invokeai/app/api/routers/recall_parameters.py

@@ -292,6 +292,51 @@ def resolve_ip_adapter_models(ip_adapters: list[IPAdapterRecallParameter]) -> li
     return resolved_adapters
 
 
+def _assert_recall_image_access(parameters: "RecallParameter", current_user: CurrentUserOrDefault) -> None:
+    """Validate that the caller can read every image referenced in the recall parameters.
+
+    Control layers and IP adapters may reference image_name fields.  Without this
+    check an attacker who knows another user's image UUID could use the recall
+    endpoint to extract image dimensions and — for ControlNet preprocessors — mint
+    a derived processed image they can then fetch.
+    """
+    from invokeai.app.services.board_records.board_records_common import BoardVisibility
+
+    image_names: list[str] = []
+    if parameters.control_layers:
+        for layer in parameters.control_layers:
+            if layer.image_name is not None:
+                image_names.append(layer.image_name)
+    if parameters.ip_adapters:
+        for adapter in parameters.ip_adapters:
+            if adapter.image_name is not None:
+                image_names.append(adapter.image_name)
+
+    if not image_names:
+        return
+
+    # Admin can access all images
+    if current_user.is_admin:
+        return
+
+    for image_name in image_names:
+        owner = ApiDependencies.invoker.services.image_records.get_user_id(image_name)
+        if owner is not None and owner == current_user.user_id:
+            continue
+
+        # Check board visibility
+        board_id = ApiDependencies.invoker.services.board_image_records.get_board_for_image(image_name)
+        if board_id is not None:
+            try:
+                board = ApiDependencies.invoker.services.boards.get_dto(board_id=board_id)
+                if board.board_visibility in (BoardVisibility.Shared, BoardVisibility.Public):
+                    continue
+            except Exception:
+                pass
+
+        raise HTTPException(status_code=403, detail=f"Not authorized to access image {image_name}")
+
+
 @recall_parameters_router.post(
     "/{queue_id}",
     operation_id="update_recall_parameters",
@@ -330,6 +375,10 @@ async def update_recall_parameters(
     """
     logger = ApiDependencies.invoker.services.logger
 
+    # Validate image access before processing — prevents information leakage
+    # (dimensions) and derived-image minting via ControlNet preprocessors.
+    _assert_recall_image_access(parameters, current_user)
+
     try:
         # Get only the parameters that were actually provided (non-None values)
         provided_params = {k: v for k, v in parameters.model_dump().items() if v is not None}

tests/app/routers/test_multiuser_authorization.py

@@ -1014,6 +1014,93 @@ def test_update_recall_parameters_requires_auth(self, enable_multiuser: Any, cli
         assert r.status_code == status.HTTP_401_UNAUTHORIZED
 
 
+# ===========================================================================
+# 7a2. Recall parameters image access control
+# ===========================================================================
+
+
+class TestRecallImageAccess:
+    """Tests that recall parameter image references are validated for read access."""
+
+    def test_recall_controlnet_with_other_users_image_rejected(
+        self, client: TestClient, mock_invoker: Invoker, user1_token: str, user2_token: str
+    ):
+        """User2 must not be able to reference user1's private image in a control layer."""
+        user1 = mock_invoker.services.users.get_by_email("user1@test.com")
+        assert user1 is not None
+        _save_image(mock_invoker, "victim-ctrl-img", user1.user_id)
+
+        r = client.post(
+            "/api/v1/recall/default",
+            json={"control_layers": [{"model_name": "some-controlnet", "image_name": "victim-ctrl-img"}]},
+            headers=_auth(user2_token),
+        )
+        assert r.status_code == status.HTTP_403_FORBIDDEN
+
+    def test_recall_ip_adapter_with_other_users_image_rejected(
+        self, client: TestClient, mock_invoker: Invoker, user1_token: str, user2_token: str
+    ):
+        """User2 must not be able to reference user1's private image in an IP adapter."""
+        user1 = mock_invoker.services.users.get_by_email("user1@test.com")
+        assert user1 is not None
+        _save_image(mock_invoker, "victim-ip-img", user1.user_id)
+
+        r = client.post(
+            "/api/v1/recall/default",
+            json={"ip_adapters": [{"model_name": "some-ip-adapter", "image_name": "victim-ip-img"}]},
+            headers=_auth(user2_token),
+        )
+        assert r.status_code == status.HTTP_403_FORBIDDEN
+
+    def test_recall_own_image_allowed(self, client: TestClient, mock_invoker: Invoker, user1_token: str):
+        """Owner should be able to reference their own image in recall parameters."""
+        user1 = mock_invoker.services.users.get_by_email("user1@test.com")
+        assert user1 is not None
+        _save_image(mock_invoker, "own-ctrl-img", user1.user_id)
+
+        r = client.post(
+            "/api/v1/recall/default",
+            json={"control_layers": [{"model_name": "some-controlnet", "image_name": "own-ctrl-img"}]},
+            headers=_auth(user1_token),
+        )
+        # Should not be 403 (may fail downstream for other reasons, e.g. model not found)
+        assert r.status_code != status.HTTP_403_FORBIDDEN
+
+    def test_recall_shared_board_image_allowed(
+        self, client: TestClient, mock_invoker: Invoker, user1_token: str, user2_token: str
+    ):
+        """An image on a shared board should be usable in recall by any user."""
+        user1 = mock_invoker.services.users.get_by_email("user1@test.com")
+        assert user1 is not None
+        _save_image(mock_invoker, "shared-recall-img", user1.user_id)
+
+        board_id = _create_board(client, user1_token, "Shared Recall Board")
+        _share_board(client, user1_token, board_id)
+        mock_invoker.services.board_image_records.add_image_to_board(board_id=board_id, image_name="shared-recall-img")
+
+        r = client.post(
+            "/api/v1/recall/default",
+            json={"ip_adapters": [{"model_name": "some-ip-adapter", "image_name": "shared-recall-img"}]},
+            headers=_auth(user2_token),
+        )
+        assert r.status_code != status.HTTP_403_FORBIDDEN
+
+    def test_recall_admin_can_reference_any_image(
+        self, client: TestClient, mock_invoker: Invoker, admin_token: str, user1_token: str
+    ):
+        """Admin should be able to reference any user's image."""
+        user1 = mock_invoker.services.users.get_by_email("user1@test.com")
+        assert user1 is not None
+        _save_image(mock_invoker, "admin-recall-img", user1.user_id)
+
+        r = client.post(
+            "/api/v1/recall/default",
+            json={"control_layers": [{"model_name": "some-controlnet", "image_name": "admin-recall-img"}]},
+            headers=_auth(admin_token),
+        )
+        assert r.status_code != status.HTTP_403_FORBIDDEN
+
+
 # ===========================================================================
 # 7b. Recall parameters cross-user isolation
 # ===========================================================================