In Lucee 22.214.171.124 and before, when you upload a file it will inherit the ACL permissions of the destination directory.
In 126.96.36.199, an uploaded file does not inherit the destination folder's permissions. Instead it keeps the permissions of the current temp directory (i.e. as returned by GetTempDirectory() ).
Steps to reproduce (on Windows):
1) Create a folder into which a file will be uploaded, and add a permission not present on the current temp directory, for example grant Read permissions to ANONYMOUS LOGON.
2) Create a script to upload a file to this folder, e.g
3) Upload a file and look at the permissions of the uploaded file. In my tests, a file uploaded with Lucee 188.8.131.52 has the additional Anonymous Read permission, on Lucee 184.108.40.206 it does not.
OS: Windows, Java: OpenJDK 220.127.116.11