Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable, low-complexity bypass needing only a share-link token (PR:L, no UI); impact is mass disclosure of shared files so C:H, with no evidenced integrity or availability impact (I:N/A:N).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Seahub before 13.0.23 does not enforce SHARE_LINK_LOGIN_REQUIRED on GET /api/v2.1/share-link-zip-task/, allowing unauthenticated users to bypass authentication. Attackers with a folder share-link token can call the GET endpoint to obtain a fileserver zip token and download entire shared directory trees.
AnalysisAI
Authorization bypass in Seahub (the Seafile web frontend) before 13.0.23 lets a holder of a folder share-link token call GET /api/v2.1/share-link-zip-task/ without honoring the SHARE_LINK_LOGIN_REQUIRED policy, obtaining a fileserver zip token to download entire shared directory trees. Classified as CWE-862 (Missing Authorization) and reported by VulnCheck with a vendor patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid folder share-link token for the target Seahub instance and that the deployment relies on the SHARE_LINK_LOGIN_REQUIRED setting being enabled (the very control the bug bypasses); the attack targets the GET method of /api/v2.1/share-link-zip-task/ to mint a fileserver zip token for the linked folder. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) scores 8.7 (High) and reflects a network-reachable, low-complexity attack with low privileges and no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who obtains or guesses a folder share-link token - for example one leaked in a forwarded email, chat, or referrer log - sends a GET request to /api/v2.1/share-link-zip-task/ on a Seahub instance that has SHARE_LINK_LOGIN_REQUIRED enabled. Instead of being forced to log in, the attacker receives a fileserver zip token and downloads the entire shared directory tree. … |
| Remediation | Upgrade Seahub to the fixed release: Vendor-released patch: 13.0.23, which adds the SHARE_LINK_LOGIN_REQUIRED enforcement to the GET handler (see fix commits https://github.com/haiwen/seahub/commit/b609949cf64ed6a15708d0fb5ea9c179962e23cc and https://github.com/haiwen/seahub/commit/162cddae0831188d02bb8d451dc2193e197dcc57, and the VulnCheck advisory https://www.vulncheck.com/advisories/seahub-authentication-bypass-in-sharelinkziptaskview-get-method). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Seahub deployments and identify instances running versions before 13.0.23; prioritize internet-facing or sensitive-data instances. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39520
GHSA-w52g-25r7-3c46