diff --git a/engine/server/sv_client.c b/engine/server/sv_client.c
index 10c8adca..fb00b443 100644
--- a/engine/server/sv_client.c
+++ b/engine/server/sv_client.c
@@ -1831,6 +1831,26 @@ static qboolean SV_DownloadFile_f( sv_client_t *cl )
 	{
 		if( sv_send_resources.value )
 		{
+			int i;
+
+			// security: allow download only precached resources
+			for( i = 0; i < sv.num_resources; i++ )
+			{
+				const char *cmpname = name;
+
+				if( sv.resources[i].type == t_sound )
+					cmpname += sizeof( DEFAULT_SOUNDPATH ); // cut "sound/" off
+
+				if( !Q_strncmp( sv.resources[i].szFileName, cmpname, 64 ) )
+					break;
+			}
+
+			if( i == sv.num_resources )
+			{
+				SV_FailDownload( cl, name );
+				return true;
+			}
+
 			// also check the model textures
 			if( !Q_stricmp( COM_FileExtension( name ), "mdl" ))
 			{