Skip to main content

linqi CVE-2026-11345

| EUVDEUVD-2026-34824 MEDIUM
Improper Authentication (CWE-287)
2026-06-05 linqi GHSA-xj32-w24w-7c6q
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 05, 2026 - 13:01 EUVD
Analysis Generated
Jun 05, 2026 - 12:28 vuln.today
CVSS changed
Jun 05, 2026 - 12:22 NVD
6.9 (MEDIUM)

DescriptionCVE.org

An Improper Authentication vulnerability in the /api/Cdn/GetFile endpoint of linqi allows unauthenticated, remote attackers to bypass file access controls. The ValidateAnonFileAccess function incorrectly grants access if an 'AnonFile' query parameter containing exactly 256 characters is provided. While this flaw allows bypassing the intended authorization check, the actual security impact is negligible; the exposed resources are strictly limited to minified JavaScript and CSS files that contain no sensitive data and are already publicly accessible via a standard CDN.

AnalysisAI

Authentication bypass in linqi's /api/Cdn/GetFile endpoint allows unauthenticated remote attackers to circumvent the ValidateAnonFileAccess authorization check by supplying an 'AnonFile' query parameter of exactly 256 characters. Despite the CVSS 4.0 score of 6.9 and a PR:N/AC:L attack vector suggesting easy, unauthenticated exploitation, the vendor's own advisory explicitly confirms the security impact is negligible: the only resources accessible via this bypass are minified JavaScript and CSS files already served publicly through a CDN. No public exploit code has been identified at time of analysis, and there is no CISA KEV listing.

Technical ContextAI

linqi (by linqi GmbH, CPE: cpe:2.3:a:linqi_gmbh:linqi:*:*:*:*:*:*:*:*) exposes a CDN file retrieval endpoint at /api/Cdn/GetFile. The root cause is CWE-287 (Improper Authentication): the ValidateAnonFileAccess function contains a logic flaw where the mere presence of an 'AnonFile' query parameter containing exactly 256 characters is sufficient to pass the authorization gate, regardless of the caller's identity or actual entitlement. This is a classic off-by-one or length-check substitution error - the function likely uses string length as a proxy for a token or signature validity check, incorrectly treating a fixed-length string as a valid credential. The CPE wildcard version field (*) indicates all known linqi versions are affected. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) correctly reflects the ease of triggering the flaw over the network without credentials, while VC:L/VI:N/VA:N/SC:N accurately captures the low-sensitivity nature of the exposed data.

RemediationAI

Patch available per vendor advisory at https://linqi.help/en/reference/security/security-advisories/#security-advisory-improper-authentication-bypass-in-cdn-file-access-in-the-linqi-application - no specific fixed version number is confirmed in the available data, so administrators should consult the advisory directly to identify the target upgrade version. The underlying fix should correct the ValidateAnonFileAccess function to replace the flawed 256-character length check with proper token validation or signature verification. Given that the exposed resources are already publicly accessible static assets, the urgency for emergency patching is low; however, the logic flaw itself should be remediated to prevent future scope creep if the endpoint's access controls are later extended to cover sensitive files. As a compensating control, network-layer filtering to block requests to /api/Cdn/GetFile containing an AnonFile parameter of exactly 256 characters is technically feasible but operationally fragile and not recommended as a permanent measure.

Share

CVE-2026-11345 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy