CVE-2026-32108
Received Received - Intake
Missing Permission Check in Copyparty FTP/SFTP Enables File Disclosure

Publication date: 2026-03-11

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
Copyparty is a portable file server. Prior to 1.20.12, there was a missing permission-check in the shares feature (the shr global-option). This vulnerability only applies when the shares feature is used for the specific purpose of creating a share of just a single file inside a folder or either the FTP or SFTP server is enabled, and also made publicly accessible. Given these conditions, when a user is browsing a share through either FTP or SFTP (not http or https), they can gain read-access to the remaining files inside the shared folder by guessing/bruteforcing the filenames. It was not possible to descend into subdirectories in this manner; only the sibling files were accessible. This vulnerability is similar to CVE-2025-58753 which was previously fixed for HTTP and HTTPS, but not for FTP. The FTPS server did not yet exist at that time. This vulnerability is fixed in 1.20.12.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-13
Generated
2026-05-07
AI Q&A
2026-03-11
EPSS Evaluated
2026-05-05
NVD
CVE-2026-32108
EUVD
EUVD-2026-11377
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
9001 copyparty to 1.20.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Copyparty versions prior to 1.20.12 and involves a missing permission check in the shares feature when using the shr global-option.

It only applies if a share is created for a single file inside a folder and either the FTP or SFTP server is enabled and made publicly accessible.

Under these conditions, a user browsing the share via FTP or SFTP can guess or brute-force filenames to gain read access to other files in the same folder, although they cannot access subdirectories.

This issue was fixed in version 1.20.12.


How can this vulnerability impact me? :

If you use the shares feature of Copyparty to share a single file inside a folder and have FTP or SFTP enabled and publicly accessible, an attacker could gain unauthorized read access to other files in the same folder by guessing their filenames.

This could lead to unintended disclosure of sensitive or private files stored alongside the shared file.

However, the attacker cannot access files in subdirectories, only sibling files in the same folder.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Copyparty to version 1.20.12 or later where the missing permission check in the shares feature has been fixed.

Additionally, avoid using the shares feature to create a share of a single file inside a folder when FTP or SFTP servers are enabled and publicly accessible.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart