diff --git a/src/api/core/ciphers.rs b/src/api/core/ciphers.rs
index 0e46a1d2..3832aeb4 100644
--- a/src/api/core/ciphers.rs
+++ b/src/api/core/ciphers.rs
@@ -39,6 +39,7 @@ pub fn routes() -> Vec<Route> {
         post_ciphers_admin,
         post_ciphers_create,
         post_ciphers_import,
+        get_attachment,
         post_attachment,
         post_attachment_admin,
         post_attachment_share,
@@ -754,6 +755,15 @@ fn share_cipher_by_uuid(
     Ok(Json(cipher.to_json(&headers.host, &headers.user.uuid, &conn)))
 }
 
+#[get("/ciphers/<uuid>/attachment/<attachment_id>")]
+fn get_attachment(uuid: String, attachment_id: String, headers: Headers, conn: DbConn) -> JsonResult {
+    match Attachment::find_by_id(&attachment_id, &conn) {
+        Some(attachment) if uuid == attachment.cipher_uuid => Ok(Json(attachment.to_json(&headers.host))),
+        Some(_) => err!("Attachment doesn't belong to cipher"),
+        None => err!("Attachment doesn't exist"),
+    }
+}
+
 #[post("/ciphers/<uuid>/attachment", format = "multipart/form-data", data = "<data>")]
 fn post_attachment(
     uuid: String,
diff --git a/src/api/web.rs b/src/api/web.rs
index 1416da0d..645f79a7 100644
--- a/src/api/web.rs
+++ b/src/api/web.rs
@@ -55,9 +55,9 @@ fn web_files(p: PathBuf) -> Cached<Option<NamedFile>> {
     Cached::long(NamedFile::open(Path::new(&CONFIG.web_vault_folder()).join(p)).ok())
 }
 
-#[get("/attachments/<uuid>/<file..>")]
-fn attachments(uuid: String, file: PathBuf) -> Option<NamedFile> {
-    NamedFile::open(Path::new(&CONFIG.attachments_folder()).join(uuid).join(file)).ok()
+#[get("/attachments/<uuid>/<file_id>")]
+fn attachments(uuid: String, file_id: String) -> Option<NamedFile> {
+    NamedFile::open(Path::new(&CONFIG.attachments_folder()).join(uuid).join(file_id)).ok()
 }
 
 #[get("/sends/<send_id>/<file_id>")]