Skip to main content

Cloudreve CVE-2026-54563

| EUVDEUVD-2026-44688 HIGH
Incorrect Authorization (CWE-863)
2026-07-15 GitHub_M
7.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
vuln.today AI
8.3 HIGH

Network-reachable /dav with low complexity and no UI; requires an existing scoped WebDAV credential (PR:L); writable credentials can overwrite and delete arbitrary files (C:H/I:H) and deletion affects availability (A:L).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jul 15, 2026 - 17:48 EUVD
Analysis Generated
Jul 15, 2026 - 15:22 vuln.today
CVE Published
Jul 15, 2026 - 14:38 cve.org
HIGH 7.1

DescriptionCVE.org

Cloudreve is a self-hosted file management and sharing system. Prior to 4.16.1, a Cloudreve WebDAV account rooted at a configured folder can send paths such as /dav/%2e%2e/outside.txt because stripPrefix in pkg/webdav/webdav.go joins the decoded request suffix to the account root with fs.URI.JoinRaw without checking containment, allowing the scoped credential to read and list files outside the configured folder and writable credentials to create, overwrite, move, or delete them. This issue is reported as fixed in version 4.16.1.

AnalysisAI

Path traversal via improper authorization in Cloudreve's WebDAV handler lets a scoped WebDAV account escape its configured root folder, reading and listing files anywhere the server process can reach, and - with a writable credential - creating, overwriting, moving, or deleting them. All versions prior to 4.16.1 are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain scoped WebDAV credential
Delivery
Send /dav request with %2e%2e encoded traversal
Exploit
stripPrefix joins decoded suffix without containment check
Execution
Resolve path outside configured root
Impact
Read, exfiltrate, or overwrite/delete external files

Vulnerability AssessmentAI

Exploitation Requires a valid Cloudreve WebDAV account scoped/rooted to a configured folder (PR:L) on an instance running a version prior to 4.16.1 with WebDAV enabled; read and list of files outside the folder work with any scoped credential, while create, overwrite, move, and delete require a credential provisioned with write access. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N, base 7.1) indicates network-reachable, low-complexity exploitation that requires an existing low-privileged credential (PR:L) and no user interaction - a realistic profile on a multi-tenant or shared Cloudreve instance where WebDAV accounts are handed out. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding a low-privileged Cloudreve WebDAV credential scoped to a single shared folder sends a request such as GET /dav/%2e%2e/outside.txt; the server decodes the traversal and resolves it outside the credential's root, returning files it should never expose. With a writable credential, the same technique lets the attacker overwrite configuration or user data or delete files outside the folder. …
Remediation Vendor-released patch: upgrade to Cloudreve 4.16.1 or later, which adds the missing containment check to WebDAV path resolution, per advisory GHSA-w5fv-7x5q-g8qp (https://github.com/cloudreve/cloudreve/security/advisories/GHSA-w5fv-7x5q-g8qp). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory Cloudreve deployments, identify affected versions (prior to 4.16.1), and list all accounts with WebDAV access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54563 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy