Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
Attacker needs a validly issued low-scope OAuth token (PR:L) and replays it over the network with no victim interaction (UI:N), gaining high-scope read/write within the same app (C:H/I:H, S:U).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cloudreve is a self-hosted file management and sharing system. From 4.12.0 until 4.16.1, Cloudreve's OAuth access tokens are issued without the OAuth client_id claim, so the JWT verifier does not load token scopes into request context and RequiredScopes treats the request like non-scoped session authentication, allowing a low-scope OAuth access token to call APIs requiring higher scopes such as file, share, workflow, user setting, WebDAV account, and potentially admin scopes. This issue is fixed in version 4.16.1.
AnalysisAI
Privilege escalation via OAuth scope enforcement bypass affects Cloudreve self-hosted file management versions 4.12.0 through 4.16.0, where access tokens are issued without the client_id claim. Because the JWT verifier keys scope loading on client_id, a holder of a legitimately-issued low-scope OAuth access token can invoke APIs requiring higher scopes - file, share, workflow, user setting, WebDAV account, and potentially admin - as the enforcement layer degrades to non-scoped session authentication. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to possess a validly issued Cloudreve OAuth access token (any low scope suffices) from an affected instance running 4.12.0-4.16.0; the vulnerability is inherent to how those versions issue tokens without the client_id claim, so no special server configuration beyond having OAuth token issuance in use is needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L, score 7.6) aligns with a network-reachable, low-effort authorization flaw requiring an authenticated actor (PR:L) who already possesses a validly issued low-scope OAuth token. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who is granted (or obtains) a Cloudreve OAuth access token scoped only for a minimal permission, such as read-only or a single narrow scope, replays that token against API endpoints that should require higher scopes - for example file, share, workflow, or user-setting operations - and the server honors the request because scope enforcement silently degrades to full session-level authorization. No public exploit is identified at time of analysis, but the flaw requires only crafting authenticated API calls (AC:L) over the network with a low-privilege token. |
| Remediation | Vendor-released patch: 4.16.1 - upgrade all affected Cloudreve instances (4.12.0 through 4.16.0) to 4.16.1 or later, which adds the missing ClientID claim so scopes are correctly loaded and enforced (fix commit ed20843dc3df20a25fcaf6b538647e11c4d68d87). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all Cloudreve instances in production and development environments to determine which are running affected versions 4.12.0 through 4.16.0. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Cloudreve versions v1.0.0 through v3.5.3 are vulnerable to Stored Cross-Site Scripting (XSS), via the file upload functi
Path traversal via improper authorization in Cloudreve's WebDAV handler lets a scoped WebDAV account escape its configur
Server-Side Request Forgery in Cloudreve's remote download workflow (versions prior to 4.16.1) enables authenticated use
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44689