Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
An insufficient authorization check in the file replace API allows a user with only list visibility permission (UserPermListOtherUploads) to delete another user's file by abusing the deleteNewFile flag, bypassing the requirement for UserPermDeleteOtherUploads.
Impact
Any authenticated user with PERM_REPLACE (replace own files) and PERM_LIST (view other users' uploads) can delete any other user's file without needing PERM_DELETE.
AnalysisAI
An insufficient authorization check in a file replace API allows authenticated users with basic list and replace permissions to delete other users' files by abusing the deleteNewFile flag, bypassing the intended delete permission requirement. This affects any system implementing this vulnerable API pattern where permission checks are not properly enforced at the API endpoint level. While the CVSS score of 4.1 is moderate, the vulnerability requires high privilege level (authenticated user with PERM_REPLACE and PERM_LIST) and results in integrity impact through unauthorized file deletion across user boundaries.
Technical ContextAI
The vulnerability exists in a file management API that implements a replace operation with a deleteNewFile flag parameter. The root cause is an authorization control bypass (CWE-863: Incorrect Authorization) where the API endpoint fails to validate whether the authenticated user possesses the PERM_DELETE permission before processing file deletion requests triggered through the replace operation. The affected system uses a permission model with discrete capabilities: PERM_REPLACE (modify own files), PERM_LIST (enumerate other users' uploads), PERM_DELETE (remove files), and PERM_DELETE_OTHER_UPLOADS (remove other users' files). The flaw stems from inadequate permission checks that do not verify PERM_DELETE_OTHER_UPLOADS when the deleteNewFile flag is set in replace requests targeting files outside the authenticated user's ownership scope.
RemediationAI
The primary remediation is to apply security patches from the affected system's vendor. Until patches are available, implement compensating controls by: (1) explicitly validating PERM_DELETE_OTHER_UPLOADS authorization before processing deleteNewFile flag in replace API calls, (2) enforcing permission checks at the API endpoint level rather than delegating to downstream logic, (3) restricting PERM_LIST and PERM_REPLACE permission grants to users who genuinely require them, and (4) implementing comprehensive audit logging on all file deletion operations to detect suspicious patterns. Organizations should also review similar file operation APIs (copy, move, rename) for equivalent authorization bypass vulnerabilities using the same permission model. Request the vendor security advisory with exact patched versions and upgrade timelines.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12075
GHSA-j6jp-78w8-34x6