Skip to main content

Suse CVE-2026-30943

| EUVDEUVD-2026-12075 MEDIUM
Incorrect Authorization (CWE-863)
2026-03-13 https://github.com/Forceu/Gokapi GHSA-j6jp-78w8-34x6
4.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.1 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 19:00 euvd
EUVD-2026-12075
Analysis Generated
Mar 13, 2026 - 19:00 vuln.today
CVE Published
Mar 13, 2026 - 18:56 nvd
MEDIUM 4.1

DescriptionGitHub Advisory

Summary

An insufficient authorization check in the file replace API allows a user with only list visibility permission (UserPermListOtherUploads) to delete another user's file by abusing the deleteNewFile flag, bypassing the requirement for UserPermDeleteOtherUploads.

Impact

Any authenticated user with PERM_REPLACE (replace own files) and PERM_LIST (view other users' uploads) can delete any other user's file without needing PERM_DELETE.

AnalysisAI

An insufficient authorization check in a file replace API allows authenticated users with basic list and replace permissions to delete other users' files by abusing the deleteNewFile flag, bypassing the intended delete permission requirement. This affects any system implementing this vulnerable API pattern where permission checks are not properly enforced at the API endpoint level. While the CVSS score of 4.1 is moderate, the vulnerability requires high privilege level (authenticated user with PERM_REPLACE and PERM_LIST) and results in integrity impact through unauthorized file deletion across user boundaries.

Technical ContextAI

The vulnerability exists in a file management API that implements a replace operation with a deleteNewFile flag parameter. The root cause is an authorization control bypass (CWE-863: Incorrect Authorization) where the API endpoint fails to validate whether the authenticated user possesses the PERM_DELETE permission before processing file deletion requests triggered through the replace operation. The affected system uses a permission model with discrete capabilities: PERM_REPLACE (modify own files), PERM_LIST (enumerate other users' uploads), PERM_DELETE (remove files), and PERM_DELETE_OTHER_UPLOADS (remove other users' files). The flaw stems from inadequate permission checks that do not verify PERM_DELETE_OTHER_UPLOADS when the deleteNewFile flag is set in replace requests targeting files outside the authenticated user's ownership scope.

RemediationAI

The primary remediation is to apply security patches from the affected system's vendor. Until patches are available, implement compensating controls by: (1) explicitly validating PERM_DELETE_OTHER_UPLOADS authorization before processing deleteNewFile flag in replace API calls, (2) enforcing permission checks at the API endpoint level rather than delegating to downstream logic, (3) restricting PERM_LIST and PERM_REPLACE permission grants to users who genuinely require them, and (4) implementing comprehensive audit logging on all file deletion operations to detect suspicious patterns. Organizations should also review similar file operation APIs (copy, move, rename) for equivalent authorization bypass vulnerabilities using the same permission model. Request the vendor security advisory with exact patched versions and upgrade timelines.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-30943 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy