I didn't want to post this in bugs until I get a confirmation that it's not a settings issue. I run a health and fitness site, and some members are very sensitive about their progress pictures. As such, I have some private forums that only a small group of users can access. Unfortunately I just discovered that if the exact URL is known, anyone can view an attached image that has been posted to a private forum. This should definitely not be possible when the image is sitting in a forum that someone would otherwise not have access to. Here's an example: http://forums.johnstonefitness.com/data/attachments/26/26399-a38143f1c58780acd20fdc302226b307.jpg That image is in a locked down forum.