Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
PR:L reflects the required authenticated session with remote download permission; C:H captures full internal response exfiltration; I:N and A:N because no write or denial-of-service impact is present.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Cloudreve is a self-hosted file management and sharing system. Prior to 4.16.1, Cloudreve's remote download workflow accepts user-supplied URLs at POST /api/v4/workflow/download and passes them to the configured downloader without blocking loopback, localhost, IPv6 localhost, or redirect-to-loopback targets, allowing a non-admin user with remote download permission to fetch internal-only URLs and read the response after it is imported into the user's own files. This issue is fixed in version 4.16.1.
AnalysisAI
Server-Side Request Forgery in Cloudreve's remote download workflow (versions prior to 4.16.1) enables authenticated users holding the remote download permission to direct the application server to fetch arbitrary internal URLs via POST /api/v4/workflow/download. Because the downloader accepted user-supplied URLs without validating loopback, localhost, IPv6 localhost, or redirect-to-loopback targets, a low-privileged user could exfiltrate responses from internal services - including cloud instance metadata endpoints, internal APIs, or services bound to 127.0.0.1 - by reading the downloaded content from their own Cloudreve file storage. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold a valid Cloudreve user account with the remote download feature permission explicitly granted - this is a non-admin permission that operators assign to users, confirmed by the CVSS PR:L metric. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.5 with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N accurately reflects the threat profile: network-reachable, low complexity, but constrained by a required authenticated session with remote download permission (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a valid Cloudreve account and remote download permission submits a POST request to /api/v4/workflow/download with the URL set to http://169.254.169.254/latest/meta-data/iam/security-credentials/ (AWS instance metadata) or http://127.0.0.1:6379 (local Redis). The Cloudreve server fetches the target URL server-side and stores the response as a file in the attacker's Cloudreve storage, where they then download or preview it to read the internal service response. … |
| Remediation | Upgrade to Cloudreve 4.16.1 or later, available at https://github.com/cloudreve/cloudreve/releases/tag/4.16.1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Cloudreve versions v1.0.0 through v3.5.3 are vulnerable to Stored Cross-Site Scripting (XSS), via the file upload functi
Privilege escalation via OAuth scope enforcement bypass affects Cloudreve self-hosted file management versions 4.12.0 th
Path traversal via improper authorization in Cloudreve's WebDAV handler lets a scoped WebDAV account escape its configur
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44687