CVE-2026-30230

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the thumbnail endpoint does not validate the password for password‑protected files. It checks ownership/admin for private files but skips password verification, allowing thumbnail access without the password. This issue has been patched in version 1.7.2.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/FlintSH/Flare/security/advisories/GHSA-3x7v-x3r6-mjh7	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:flintsh:flare:*:*:*:*:*:*:*:*

History

09 Apr 2026, 20:20

Type	Values Removed	Values Added
First Time		Flintsh Flintsh flare
Summary		(es) Flare es una plataforma para compartir archivos autoalojable, basada en Next.js, que se integra con herramientas de captura de pantalla. Antes de la versión 1.7.2, el endpoint de miniaturas no valida la contraseña para los archivos protegidos con contraseña. Verifica la propiedad/administración para archivos privados, pero omite la verificación de la contraseña, permitiendo el acceso a las miniaturas sin la contraseña. Este problema ha sido parcheado en la versión 1.7.2.
CPE		cpe:2.3:a:flintsh:flare::::::::
References	~~() https://github.com/FlintSH/Flare/security/advisories/GHSA-3x7v-x3r6-mjh7 -~~	() https://github.com/FlintSH/Flare/security/advisories/GHSA-3x7v-x3r6-mjh7 - Exploit, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

06 Mar 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-06 21:16

Updated : 2026-04-09 20:20

NVD link : CVE-2026-30230

Mitre link : CVE-2026-30230

CVE.ORG link : CVE-2026-30230

JSON object : View

Products Affected

flintsh

flare

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2026-30230", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-06T21:16:17.077", "references": [{"url": "https://github.com/FlintSH/Flare/security/advisories/GHSA-3x7v-x3r6-mjh7", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the thumbnail endpoint does not validate the password for password\u2011protected files. It checks ownership/admin for private files but skips password verification, allowing thumbnail access without the password. This issue has been patched in version 1.7.2."}, {"lang": "es", "value": "Flare es una plataforma para compartir archivos autoalojable, basada en Next.js, que se integra con herramientas de captura de pantalla. Antes de la versi\u00f3n 1.7.2, el endpoint de miniaturas no valida la contrase\u00f1a para los archivos protegidos con contrase\u00f1a. Verifica la propiedad/administraci\u00f3n para archivos privados, pero omite la verificaci\u00f3n de la contrase\u00f1a, permitiendo el acceso a las miniaturas sin la contrase\u00f1a. Este problema ha sido parcheado en la versi\u00f3n 1.7.2."}], "lastModified": "2026-04-09T20:20:02.933", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:flintsh:flare:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4166EF32-3722-49DA-8764-A48E4CE75863", "versionEndExcluding": "1.7.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}