Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Network-reachable /dav with low complexity and no UI; requires an existing scoped WebDAV credential (PR:L); writable credentials can overwrite and delete arbitrary files (C:H/I:H) and deletion affects availability (A:L).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Cloudreve is a self-hosted file management and sharing system. Prior to 4.16.1, a Cloudreve WebDAV account rooted at a configured folder can send paths such as /dav/%2e%2e/outside.txt because stripPrefix in pkg/webdav/webdav.go joins the decoded request suffix to the account root with fs.URI.JoinRaw without checking containment, allowing the scoped credential to read and list files outside the configured folder and writable credentials to create, overwrite, move, or delete them. This issue is reported as fixed in version 4.16.1.
AnalysisAI
Path traversal via improper authorization in Cloudreve's WebDAV handler lets a scoped WebDAV account escape its configured root folder, reading and listing files anywhere the server process can reach, and - with a writable credential - creating, overwriting, moving, or deleting them. All versions prior to 4.16.1 are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a valid Cloudreve WebDAV account scoped/rooted to a configured folder (PR:L) on an instance running a version prior to 4.16.1 with WebDAV enabled; read and list of files outside the folder work with any scoped credential, while create, overwrite, move, and delete require a credential provisioned with write access. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N, base 7.1) indicates network-reachable, low-complexity exploitation that requires an existing low-privileged credential (PR:L) and no user interaction - a realistic profile on a multi-tenant or shared Cloudreve instance where WebDAV accounts are handed out. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding a low-privileged Cloudreve WebDAV credential scoped to a single shared folder sends a request such as GET /dav/%2e%2e/outside.txt; the server decodes the traversal and resolves it outside the credential's root, returning files it should never expose. With a writable credential, the same technique lets the attacker overwrite configuration or user data or delete files outside the folder. … |
| Remediation | Vendor-released patch: upgrade to Cloudreve 4.16.1 or later, which adds the missing containment check to WebDAV path resolution, per advisory GHSA-w5fv-7x5q-g8qp (https://github.com/cloudreve/cloudreve/security/advisories/GHSA-w5fv-7x5q-g8qp). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory Cloudreve deployments, identify affected versions (prior to 4.16.1), and list all accounts with WebDAV access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Cloudreve versions v1.0.0 through v3.5.3 are vulnerable to Stored Cross-Site Scripting (XSS), via the file upload functi
Privilege escalation via OAuth scope enforcement bypass affects Cloudreve self-hosted file management versions 4.12.0 th
Server-Side Request Forgery in Cloudreve's remote download workflow (versions prior to 4.16.1) enables authenticated use
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44688