diff --git a/workflow/engine/controllers/pmTables.php b/workflow/engine/controllers/pmTables.php
index 4d1099d80..5ed01b43d 100644
--- a/workflow/engine/controllers/pmTables.php
+++ b/workflow/engine/controllers/pmTables.php
@@ -152,6 +152,11 @@ class pmTables extends Controller
         $sFileName = $httpData->f;
 
         $realPath = $PUBLIC_ROOT_PATH . $sFileName;
+
+        if ($this->isValidFileToBeStreamed($sFileName) === false) {
+            throw new Exception("You are trying to access an unauthorized resource.");
+        }
+
         G::streamFile( $realPath, true );
         unlink( $realPath );
     }
@@ -206,5 +211,32 @@ class pmTables extends Controller
         $tableSize = $tableSize - 8; // Prefix PMT_
         return $tableSize;
     }
+
+    /**
+     * Validates if the file with the $fileName is a valid one,
+     * that is, it must be a file without relative references that
+     * can open a door to get some unauthorized system file and
+     * must have one of the valid file extensions.
+     *
+     * @param $fileName, emporal file name that will be streamed
+     * @return bool
+     */
+    private function isValidFileToBeStreamed($fileName)
+    {
+        $result = true;
+        $validExtensionsForExporting = ['csv', 'pmt'];
+
+        $pathInfo = pathinfo($fileName);
+
+        if ($pathInfo['dirname'] !== '.') {
+            $result =  false;
+        }
+
+        if (!in_array($pathInfo['extension'], $validExtensionsForExporting)) {
+            $result =  false;
+        }
+
+        return $result;
+    }
 }