diff --git a/.github/workflows/cypress.yml b/.github/workflows/cypress.yml
index d7df459c3c2..cb2d0792f87 100644
--- a/.github/workflows/cypress.yml
+++ b/.github/workflows/cypress.yml
@@ -161,7 +161,7 @@ jobs:
           npm_package_name: ${{ env.APP_NAME }}
 
       - name: Upload test failure screenshots
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         if: failure()
         with:
           name: Upload screenshots
@@ -169,7 +169,7 @@ jobs:
           retention-days: 5
 
       - name: Upload nextcloud logs
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         if: failure()
         with:
           name: Upload nextcloud log
diff --git a/lib/Service/AttachmentService.php b/lib/Service/AttachmentService.php
index 5561fd4bae0..ad74f9d80b5 100644
--- a/lib/Service/AttachmentService.php
+++ b/lib/Service/AttachmentService.php
@@ -39,6 +39,7 @@
 use OCP\Files\NotPermittedException;
 use OCP\Files\SimpleFS\ISimpleFile;
 use OCP\IPreview;
+use OCP\ISession;
 use OCP\Share\Exceptions\ShareNotFound;
 use OCP\Share\IShare;
 use OCP\Util;
@@ -59,6 +60,10 @@ class AttachmentService {
 	 * @var IPreview
 	 */
 	private $previewManager;
+	/**
+	 * @var ISession
+	 */
+	private $session;
 	/**
 	 * @var IMimeTypeDetector
 	 */
@@ -67,10 +72,12 @@ class AttachmentService {
 	public function __construct(IRootFolder $rootFolder,
 								ShareManager $shareManager,
 								IPreview $previewManager,
+								ISession $session,
 								IMimeTypeDetector $mimeTypeDetector) {
 		$this->rootFolder = $rootFolder;
 		$this->shareManager = $shareManager;
 		$this->previewManager = $previewManager;
+		$this->session = $session;
 		$this->mimeTypeDetector = $mimeTypeDetector;
 	}
 
@@ -545,6 +552,27 @@ private function getTextFilePublic(?int $documentId, string $shareToken): File {
 		try {
 			$share = $this->shareManager->getShareByToken($shareToken);
 			if ($share->getShareType() === IShare::TYPE_LINK) {
+
+				// check for password if required
+				/** @psalm-suppress RedundantConditionGivenDocblockType */
+				if ($share->getPassword() !== null) {
+					$shareId = $this->session->get('public_link_authenticated');
+					if ($share->getId() !== $shareId) {
+						throw new ShareNotFound();
+					}
+				}
+
+				// check read permission
+				if (($share->getPermissions() & Constants::PERMISSION_READ) !== Constants::PERMISSION_READ) {
+					throw new ShareNotFound();
+				}
+
+				// check download permission
+				$attributes = $share->getAttributes();
+				if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
+					throw new ShareNotFound();
+				}
+
 				// shared file or folder?
 				if ($share->getNodeType() === 'file') {
 					$textFile = $share->getNode();