CVE-2026-30942
Received Received - Intake
Path Traversal in Flare Avatars API Allows Arbitrary File Read

Publication date: 2026-03-10

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to 1.7.3, an authenticated path traversal vulnerability in /api/avatars/[filename] allows any logged-in user to read arbitrary files from within the application container. The filename URL parameter is passed to path.join() without sanitization, and getFileStream() performs no path validation, enabling %2F-encoded ../ sequences to escape the uploads/avatars/ directory and read any file accessible to the nextjs process under /app/. Authentication is enforced by Next.js middleware. However, on instances with open registration enabled (the default), any attacker can self-register and immediately exploit this. This vulnerability is fixed in 1.7.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30942
EUVD
EUVD-2026-10553
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
flintsh flare to 1.7.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Flare, a Next.js-based file sharing platform. Before version 1.7.3, an authenticated path traversal flaw in the /api/avatars/[filename] endpoint allows any logged-in user to read arbitrary files within the application container.

The issue arises because the filename parameter is passed to path.join() without sanitization, and getFileStream() does not validate the path. This allows attackers to use encoded sequences like %2F to traverse directories (../) and access files outside the intended uploads/avatars/ directory.

Although authentication is required, instances with open registration (the default setting) allow any attacker to self-register and exploit this vulnerability immediately.

This vulnerability was fixed in version 1.7.3 of Flare.

Impact Analysis

This vulnerability can allow an attacker who is able to log in (or self-register if open registration is enabled) to read arbitrary files within the application container.

Such unauthorized file access could lead to exposure of sensitive information stored on the server, including configuration files, user data, or other confidential files accessible to the Next.js process.

This could result in data breaches, loss of confidentiality, and potentially further exploitation depending on the contents of the accessed files.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade Flare to version 1.7.3 or later, where the path traversal issue in /api/avatars/[filename] is fixed.

If upgrading immediately is not possible, consider disabling open registration to prevent attackers from self-registering and exploiting the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30942. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart