CVE-2026-30230
Received Received - Intake
Unauthorized Thumbnail Access in Flare Due to Password Bypass

Publication date: 2026-03-06

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description
Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the thumbnail endpoint does not validate the password for password‑protected files. It checks ownership/admin for private files but skips password verification, allowing thumbnail access without the password. This issue has been patched in version 1.7.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30230
EUVD
EUVD-2026-10076
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
flintsh flare to 1.7.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30230 is a high-severity vulnerability in the FlintSH/Flare file sharing platform versions up to 1.7.1. The issue lies in the thumbnail endpoint, which fails to validate passwords for password-protected files.

While the system correctly checks ownership or admin privileges for private files, it completely skips verifying the password when accessing thumbnails. This means unauthorized users can view thumbnail previews of protected images without providing the password.

Other endpoints like download and raw properly enforce password checks, but the thumbnail endpoint does not, leading to unauthorized disclosure of visual content.

Impact Analysis

This vulnerability allows unauthorized users to access thumbnail previews of password-protected images without needing the password or any special privileges.

The impact is a high loss of confidentiality because sensitive visual content can be exposed to unauthorized parties.

There is no impact on data integrity or system availability, but the unauthorized disclosure of sensitive images can lead to privacy breaches or information leakage.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by attempting to access the thumbnail endpoint of password-protected files without providing the password and observing if the thumbnail is returned.

  • Upload a password-protected image as User A.
  • From a different user or unauthenticated client (User B), send a request to the thumbnail endpoint for that image without including the password.
  • If the thumbnail is returned without requiring the password, the system is vulnerable.

A sample command using curl to test this could be:

  • curl -v http://[flare-server]/thumbnail/[file-id]

If the response returns the thumbnail image without authentication or password, the vulnerability exists.

Mitigation Strategies

The immediate mitigation step is to upgrade the Flare platform to version 1.7.2 or later, where the vulnerability has been patched.

Until the upgrade can be applied, restrict access to the thumbnail endpoint to trusted users or networks to prevent unauthorized thumbnail access.

Additionally, monitor and audit access logs for any unauthorized thumbnail requests to detect potential exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30230. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart