EUVD-2026-12075
GHSA-j6jp-78w8-34x6
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N
Lifecycle Timeline
4Description
## Summary An insufficient authorization check in the file replace API allows a user with only list visibility permission (`UserPermListOtherUploads`) to delete another user's file by abusing the `deleteNewFile` flag, bypassing the requirement for `UserPermDeleteOtherUploads`. ### Impact Any authenticated user with `PERM_REPLACE` (replace own files) and `PERM_LIST` (view other users' uploads) can delete any other user's file without needing `PERM_DELETE`.
Analysis
An insufficient authorization check in a file replace API allows authenticated users with basic list and replace permissions to delete other users' files by abusing the deleteNewFile flag, bypassing the intended delete permission requirement. This affects any system implementing this vulnerable API pattern where permission checks are not properly enforced at the API endpoint level. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today