diff --git a/core/modules/image/image.module b/core/modules/image/image.module
index f0e0dfdec1ace961e7a440687ffe6644660f225c..956eafd6992b6f968988a6a9ceea7928bfb99695 100644
--- a/core/modules/image/image.module
+++ b/core/modules/image/image.module
@@ -301,7 +301,8 @@ function image_file_download($uri) {
     if ($info = image_get_info($uri)) {
       // Check the permissions of the original to grant access to this image.
       $headers = module_invoke_all('file_download', $original_uri);
-      if (!in_array(-1, $headers)) {
+      // Confirm there's at least one module granting access and none denying access.
+      if (!empty($headers) && !in_array(-1, $headers)) {
         return array(
           // Send headers describing the image's size, and MIME-type...
           'Content-Type' => $info['mime_type'],
diff --git a/core/modules/image/lib/Drupal/image/Tests/ImageStylesPathAndUrlTest.php b/core/modules/image/lib/Drupal/image/Tests/ImageStylesPathAndUrlTest.php
index 1138f18b8cb8dba71910cce010f9a1a6260f1d52..ebb71ba7591d2b4f9c1af2b95c108ae79599ca4f 100644
--- a/core/modules/image/lib/Drupal/image/Tests/ImageStylesPathAndUrlTest.php
+++ b/core/modules/image/lib/Drupal/image/Tests/ImageStylesPathAndUrlTest.php
@@ -136,6 +136,12 @@ function _testImageStyleUrlAndPath($scheme, $clean_url = TRUE) {
       $this->drupalGet($generate_url);
       $this->assertResponse(200, 'Image was generated at the URL.');
 
+      // Make sure that access is denied for existing style files if we do not
+      // have access.
+      state()->delete('image.test_file_download');
+      $this->drupalGet($generate_url);
+      $this->assertResponse(403, 'Confirmed that access is denied for the private image style.');
+
       // Repeat this with a different file that we do not have access to and
       // make sure that access is denied.
       $file_noaccess = array_shift($files);