{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30230", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T17:23:59.797Z", "datePublished": "2026-03-06T21:09:59.726Z", "dateUpdated": "2026-03-09T20:54:29.041Z"}, "containers": {"cna": {"title": "Flare: Password\u2011Protected Thumbnail Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/FlintSH/Flare/security/advisories/GHSA-3x7v-x3r6-mjh7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/FlintSH/Flare/security/advisories/GHSA-3x7v-x3r6-mjh7"}], "affected": [{"vendor": "FlintSH", "product": "Flare", "versions": [{"version": "< 1.7.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T21:09:59.726Z"}, "descriptions": [{"lang": "en", "value": "Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the thumbnail endpoint does not validate the password for password\u2011protected files. It checks ownership/admin for private files but skips password verification, allowing thumbnail access without the password. This issue has been patched in version 1.7.2."}], "source": {"advisory": "GHSA-3x7v-x3r6-mjh7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30230", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:45:55.808964Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:54:29.041Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30230", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:45:55.808964Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:47:34.472Z"}}], "cna": {"title": "Flare: Password\u2011Protected Thumbnail Bypass", "source": {"advisory": "GHSA-3x7v-x3r6-mjh7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "FlintSH", "product": "Flare", "versions": [{"status": "affected", "version": "< 1.7.2"}]}], "references": [{"url": "https://github.com/FlintSH/Flare/security/advisories/GHSA-3x7v-x3r6-mjh7", "name": "https://github.com/FlintSH/Flare/security/advisories/GHSA-3x7v-x3r6-mjh7", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the thumbnail endpoint does not validate the password for password\u2011protected files. It checks ownership/admin for private files but skips password verification, allowing thumbnail access without the password. This issue has been patched in version 1.7.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T21:09:59.726Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30230", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:54:29.041Z", "dateReserved": "2026-03-04T17:23:59.797Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T21:09:59.726Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:flintsh:flare:*:*:*:*:*:*:*:*", "matchCriteriaId": "4166EF32-3722-49DA-8764-A48E4CE75863", "versionEndExcluding": "1.7.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the thumbnail endpoint does not validate the password for password\u2011protected files. It checks ownership/admin for private files but skips password verification, allowing thumbnail access without the password. This issue has been patched in version 1.7.2."}, {"lang": "es", "value": "Flare es una plataforma para compartir archivos autoalojable, basada en Next.js, que se integra con herramientas de captura de pantalla. Antes de la versi\u00f3n 1.7.2, el endpoint de miniaturas no valida la contrase\u00f1a para los archivos protegidos con contrase\u00f1a. Verifica la propiedad/administraci\u00f3n para archivos privados, pero omite la verificaci\u00f3n de la contrase\u00f1a, permitiendo el acceso a las miniaturas sin la contrase\u00f1a. Este problema ha sido parcheado en la versi\u00f3n 1.7.2."}], "id": "CVE-2026-30230", "lastModified": "2026-04-09T20:20:02.933", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T21:16:17.077", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/FlintSH/Flare/security/advisories/GHSA-3x7v-x3r6-mjh7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "flare: Flare: Unauthorized information disclosure due to improper access control in the thumbnail endpoint.", "id": "2445349", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445349"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-306", "details": ["A flaw was found in Flare, a file sharing platform. A remote attacker could exploit this vulnerability due to improper access control in the thumbnail endpoint. This flaw allows an attacker to access thumbnails of password-protected files without providing the correct password, leading to unauthorized information disclosure."], "name": "CVE-2026-30230", "public_date": "2026-03-06T21:09:59Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-30230\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-30230\nhttps://github.com/FlintSH/Flare/security/advisories/GHSA-3x7v-x3r6-mjh7"], "statement": "This IMPORTANT vulnerability in Flare allows unauthenticated remote attackers to access thumbnails of password-protected files. The thumbnail endpoint skips password verification while other endpoints enforce it, exposing image previews without authorization. Impact is limited to low confidentiality loss as only thumbnails are exposed, not full file contents.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.7.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Flare", "source": "cna", "vendor": "FlintSH"}, "product": "flare", "vendor": "flintsh"}], "analysis": {"en": {"generated_at": "2026-04-16T11:09:55.618926+00:00", "value": {"mitigation_remediation": ["Upgrade Flare to version 1.7.2 or later to re\u2011enable password validation for thumbnail requests.", "If an upgrade is not immediately possible, configure the server to block or restrict access to the thumbnail endpoint for password\u2011protected files, for example by requiring authentication or by disabling thumbnail generation for such files.", "Verify that other file\u2011display or download endpoints do not have similar missing authentication checks, and apply any applicable patches or configuration changes to enforce proper access control."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized thumbnail access to password\u2011protected files"}, "threat_synthesis": {"affected_systems": "FlintSH Flare prior to version 1.7.2. The flaw is present in any self\u2011hosted deployment of Flare that has not applied the patch included in release 1.7.2.", "description_and_impact": "The vulnerability exists because the thumbnail endpoint in Flare does not perform password verification for files that are protected by a user\u2011supplied password. While the endpoint still checks for ownership or administrative rights on private files, it skips the password check entirely for protected files. This omission allows anyone who can formulate a request to the thumbnail URL to retrieve a visual preview of the file without knowing the password, thereby bypassing the intended access control and potentially revealing sensitive data or file metadata.", "risk_and_exploitability": "The CVSS score of 8.2 indicates a high severity vulnerability with complete data confidentiality impact. The EPSS score is below 1\u202f%, and the vulnerability has not been identified in the CISA KEV catalog, suggesting a low probability of widespread exploitation. Nonetheless, the attack vector is straightforward: an attacker can issue a crafted HTTP request to the thumbnail endpoint for a known protected file, bypassing password authentication without requiring any additional credentials. The ease of exploitation combined with the high severity warrants prompt remediation."}}}}, "created": "2026-03-09T10:06:52.225532+00:00", "updated": "2026-04-16T11:15:27.686979+00:00", "vendors": ["flintsh", "flintsh$PRODUCT$flare"]}