Skip to main content

Quark Auto Save CVE-2026-45229

| EUVDEUVD-2026-30174 HIGH
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
2026-05-13 VulnCheck GHSA-x5vh-96v7-w3ph
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 08, 2026 - 08:52 vuln.today
Analysis Generated
Jun 08, 2026 - 08:52 vuln.today
CVSS changed
May 13, 2026 - 21:22 NVD
8.8 (HIGH) 8.7 (HIGH)

DescriptionCVE.org

Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by posting an arbitrary webui object to the config_data dictionary. Attackers can exploit insufficient deny-list filtering to permanently replace stored login credentials, lock out legitimate administrators, and gain persistent access to all configured tasks, cloud tokens, and notification services.

AnalysisAI

Mass assignment in Quark Auto Save (also referenced as Quark Drive) before version 0.8.5 lets authenticated users overwrite administrator credentials by posting an arbitrary 'webui' object to the config_data dictionary through the POST /update endpoint. Successful exploitation locks out legitimate administrators and grants persistent control over scheduled tasks, cloud storage tokens, and notification integrations. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.05% (16th percentile), though a vendor patch is available in release v0.8.5.

Technical ContextAI

Quark Auto Save is an open-source self-hosted automation tool (GitHub repo Cp0204/quark-auto-save, CPE cpe:2.3:a:cp0204:quark-auto-save) that syncs and saves files from Quark cloud drive and exposes a Python/Flask-style web UI for managing scheduled tasks, cloud tokens, and notification webhooks. The flaw is a classic CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) in run.py: the POST /update handler merges client-supplied JSON directly into the persisted config_data dictionary using a deny-list rather than an allow-list, so a sub-object such as 'webui' (which stores the admin username and password hash) can be mutated by any authenticated caller. The upstream fix in commit ea8377a596446291953dbe36e2d119d85bcd865b ('security(run.py): 防止批量赋值攻击') tightens the filter to block reassignment of sensitive credential fields.

RemediationAI

Vendor-released patch: upgrade to Quark Auto Save v0.8.5 or later (https://github.com/Cp0204/quark-auto-save/releases/tag/v0.8.5), which incorporates commit ea8377a restricting which keys clients may write to config_data. For deployments that cannot upgrade immediately, restrict access to the /update endpoint at a reverse proxy (nginx/Caddy) so only trusted source IPs or VPN ranges can POST - this blocks the attack path but disables config edits from any other network. Avoid sharing the web UI account across users and rotate the admin password and any cloud-drive tokens or notification webhook secrets if the instance was internet-exposed before patching, since the bug allows silent credential overwrite. Removing the application from public exposure (placing it behind an SSO reverse proxy or on a private network) is the most reliable compensating control; the trade-off is loss of convenient remote management.

Share

CVE-2026-45229 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy