Hi,
Episerver Forms 4.25.0 restricts access to uploaded files by removing the "Everyone" role and leaving everything else as-is. If the instance has defined additional read access for Visitor Groups, Users or other Groups, these remain and allow the users to read the uploaded files without special privileges.
These users, especially "Anonymous" role, should not have any visibility to the uploaded files.
Is this an intentional feature or a security issue? I would be happy to find a more secure workaround to restrict the file access from all but the content editors.
Please see method
EPiServer.Forms.Core.Internal.DataSubmissionService.GetOrCreateFolderForStoringFiles() in EPiServer.Forms.Core.dll for details.