Skip to main content

Cryptobox CVE-2026-6805

| EUVDEUVD-2026-28342 MEDIUM
Improper Handling of Insufficient Permissions or Privileges (CWE-280)
2026-05-07 THA-PSIRT GHSA-p3ph-4r57-hh5x
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 07, 2026 - 10:30 vuln.today
CVSS changed
May 07, 2026 - 10:22 NVD
6.9 (MEDIUM)
CVE Published
May 07, 2026 - 09:45 nvd
MEDIUM 6.9

DescriptionCVE.org

Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link.

AnalysisAI

Cryptobox external sharing feature leaks information via sharing link URLs that enables offline brute-force attacks against access codes. Remote unauthenticated attackers with knowledge of a sharing link can retrieve sufficient data from the server to conduct offline enumeration of the associated access code, compromising the confidentiality of shared content. No public exploit code has been identified, but the low attack complexity and network accessibility make this a practical vulnerability.

Technical ContextAI

Cryptobox implements external file sharing functionality that uses URLs containing sharing links as access control mechanisms. The vulnerability stems from CWE-280 (Improper Handling of Insufficient Permissions or Privileges), where the sharing link endpoint returns information that leaks details about the access code structure or validation logic. This allows attackers to perform offline cryptographic attacks (brute-force, dictionary attacks) against the access code without rate-limiting or server-side validation constraints that would normally throttle repeated guesses. The attack is feasible because the server discloses sufficient entropy or implementation details in its response to a sharing link query.

RemediationAI

Contact Cryptobox vendor (ERCOM) via THA-PSIRT or official advisory channel at https://info.cryptobox.com/ to obtain the latest patched version. Until patching is possible, implement network-level access controls: restrict Cryptobox sharing endpoints to trusted IP ranges or require VPN access, and disable public external sharing if not operationally required. Additionally, configure Cryptobox to use cryptographically random, high-entropy access codes (minimum 128-bit entropy recommended) and enforce rate-limiting on access code validation attempts (e.g., max 5 attempts per sharing link per hour) to increase the cost of offline brute-force attacks. Monitor access logs for anomalous patterns of sharing link queries from single sources.

Share

CVE-2026-6805 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy