Hello all,

There is a data leak within the galleries+privacy addon combination. If:

1. an image or video is set as non-public in some way, via the privacy settings
2. and that image/video is the first/last (depending on settings) media item within its gallery
3. and that gallery has no thumbnail set

… then a thumbnail of that media item will leak as the automatic thumbnail for the gallery.

This issue has been resolved in the latest patch release (10.0.40). A hot-fix can also be found in this issue 0004765: Gallery items set as Members only outputs thumbnails for Guests - Composr CMS feature tracker.

If any users need any further information on this addon, or a fix backporting to an older version, please let us know here.