Skip to main content

Cloudreve

4 CVEs product

Monthly

CVE-2026-54560 HIGH PATCH This Week

Privilege escalation via OAuth scope enforcement bypass affects Cloudreve self-hosted file management versions 4.12.0 through 4.16.0, where access tokens are issued without the client_id claim. Because the JWT verifier keys scope loading on client_id, a holder of a legitimately-issued low-scope OAuth access token can invoke APIs requiring higher scopes - file, share, workflow, user setting, WebDAV account, and potentially admin - as the enforcement layer degrades to non-scoped session authentication. No public exploit identified at time of analysis, but the root cause is confirmed by the vendor's fix commit and advisory GHSA-vgj4-345g-jcf8, with the issue resolved in 4.16.1.

Authentication Bypass Cloudreve
NVD GitHub
CVSS 3.1
7.6
CVE-2026-54563 HIGH PATCH This Week

Path traversal via improper authorization in Cloudreve's WebDAV handler lets a scoped WebDAV account escape its configured root folder, reading and listing files anywhere the server process can reach, and - with a writable credential - creating, overwriting, moving, or deleting them. All versions prior to 4.16.1 are affected. No public exploit is identified at time of analysis and it is not listed in CISA KEV, though the flaw is straightforward to trigger once a low-privileged WebDAV credential is held.

Authentication Bypass Cloudreve
NVD GitHub
CVSS 3.1
7.1
CVE-2026-54562 MEDIUM PATCH This Month

Server-Side Request Forgery in Cloudreve's remote download workflow (versions prior to 4.16.1) enables authenticated users holding the remote download permission to direct the application server to fetch arbitrary internal URLs via POST /api/v4/workflow/download. Because the downloader accepted user-supplied URLs without validating loopback, localhost, IPv6 localhost, or redirect-to-loopback targets, a low-privileged user could exfiltrate responses from internal services - including cloud instance metadata endpoints, internal APIs, or services bound to 127.0.0.1 - by reading the downloaded content from their own Cloudreve file storage. No public exploit has been identified at time of analysis; vendor-released patch 4.16.1 is available.

SSRF Cloudreve
NVD GitHub
CVSS 3.1
6.5
CVE-2022-32167 Go MEDIUM POC PATCH This Month

Cloudreve versions v1.0.0 through v3.5.3 are vulnerable to Stored Cross-Site Scripting (XSS), via the file upload functionality. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload XSS Privilege Escalation Cloudreve
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVSS 7.6
HIGH PATCH This Week

Privilege escalation via OAuth scope enforcement bypass affects Cloudreve self-hosted file management versions 4.12.0 through 4.16.0, where access tokens are issued without the client_id claim. Because the JWT verifier keys scope loading on client_id, a holder of a legitimately-issued low-scope OAuth access token can invoke APIs requiring higher scopes - file, share, workflow, user setting, WebDAV account, and potentially admin - as the enforcement layer degrades to non-scoped session authentication. No public exploit identified at time of analysis, but the root cause is confirmed by the vendor's fix commit and advisory GHSA-vgj4-345g-jcf8, with the issue resolved in 4.16.1.

Authentication Bypass Cloudreve
NVD GitHub
CVSS 7.1
HIGH PATCH This Week

Path traversal via improper authorization in Cloudreve's WebDAV handler lets a scoped WebDAV account escape its configured root folder, reading and listing files anywhere the server process can reach, and - with a writable credential - creating, overwriting, moving, or deleting them. All versions prior to 4.16.1 are affected. No public exploit is identified at time of analysis and it is not listed in CISA KEV, though the flaw is straightforward to trigger once a low-privileged WebDAV credential is held.

Authentication Bypass Cloudreve
NVD GitHub
CVSS 6.5
MEDIUM PATCH This Month

Server-Side Request Forgery in Cloudreve's remote download workflow (versions prior to 4.16.1) enables authenticated users holding the remote download permission to direct the application server to fetch arbitrary internal URLs via POST /api/v4/workflow/download. Because the downloader accepted user-supplied URLs without validating loopback, localhost, IPv6 localhost, or redirect-to-loopback targets, a low-privileged user could exfiltrate responses from internal services - including cloud instance metadata endpoints, internal APIs, or services bound to 127.0.0.1 - by reading the downloaded content from their own Cloudreve file storage. No public exploit has been identified at time of analysis; vendor-released patch 4.16.1 is available.

SSRF Cloudreve
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Cloudreve versions v1.0.0 through v3.5.3 are vulnerable to Stored Cross-Site Scripting (XSS), via the file upload functionality. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload XSS Privilege Escalation +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy