Skip to main content

Cloudreve CVE-2026-54560

| EUVDEUVD-2026-44689 HIGH
Incorrect Authorization (CWE-863)
2026-07-15 GitHub_M
7.6
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
vuln.today AI
8.3 HIGH

Attacker needs a validly issued low-scope OAuth token (PR:L) and replays it over the network with no victim interaction (UI:N), gaining high-scope read/write within the same app (C:H/I:H, S:U).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

4
Patch available
Jul 15, 2026 - 17:48 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 15:22 vuln.today
Analysis Generated
Jul 15, 2026 - 15:22 vuln.today
CVE Published
Jul 15, 2026 - 14:40 cve.org
HIGH 7.6

DescriptionCVE.org

Cloudreve is a self-hosted file management and sharing system. From 4.12.0 until 4.16.1, Cloudreve's OAuth access tokens are issued without the OAuth client_id claim, so the JWT verifier does not load token scopes into request context and RequiredScopes treats the request like non-scoped session authentication, allowing a low-scope OAuth access token to call APIs requiring higher scopes such as file, share, workflow, user setting, WebDAV account, and potentially admin scopes. This issue is fixed in version 4.16.1.

AnalysisAI

Privilege escalation via OAuth scope enforcement bypass affects Cloudreve self-hosted file management versions 4.12.0 through 4.16.0, where access tokens are issued without the client_id claim. Because the JWT verifier keys scope loading on client_id, a holder of a legitimately-issued low-scope OAuth access token can invoke APIs requiring higher scopes - file, share, workflow, user setting, WebDAV account, and potentially admin - as the enforcement layer degrades to non-scoped session authentication. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-scope OAuth access token
Delivery
Send request to higher-scope API endpoint
Exploit
client_id absent so scopes not loaded
Execution
RequiredScopes degrades to session auth
Impact
Read or modify files, shares, and settings

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to possess a validly issued Cloudreve OAuth access token (any low scope suffices) from an affected instance running 4.12.0-4.16.0; the vulnerability is inherent to how those versions issue tokens without the client_id claim, so no special server configuration beyond having OAuth token issuance in use is needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L, score 7.6) aligns with a network-reachable, low-effort authorization flaw requiring an authenticated actor (PR:L) who already possesses a validly issued low-scope OAuth token. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who is granted (or obtains) a Cloudreve OAuth access token scoped only for a minimal permission, such as read-only or a single narrow scope, replays that token against API endpoints that should require higher scopes - for example file, share, workflow, or user-setting operations - and the server honors the request because scope enforcement silently degrades to full session-level authorization. No public exploit is identified at time of analysis, but the flaw requires only crafting authenticated API calls (AC:L) over the network with a low-privilege token.
Remediation Vendor-released patch: 4.16.1 - upgrade all affected Cloudreve instances (4.12.0 through 4.16.0) to 4.16.1 or later, which adds the missing ClientID claim so scopes are correctly loaded and enforced (fix commit ed20843dc3df20a25fcaf6b538647e11c4d68d87). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all Cloudreve instances in production and development environments to determine which are running affected versions 4.12.0 through 4.16.0. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54560 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy