CVE-2026-6805
External Sharing Feature Information Disclosure in Cryptobox
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: Thales Group
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thalesgroup | cryptobox | 4.40 |
| thalesgroup | cryptobox | 4.39 |
| thalesgroup | cryptobox | 4.40.166 |
| thalesgroup | cryptobox | 4.40.153 |
| thalesgroup | cryptobox | 4.40.152 |
| thalesgroup | cryptobox | 4.38.295 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-280 | The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability allows an attacker to potentially gain unauthorized access to shared information by brute-forcing the access code offline. This could lead to exposure of sensitive data shared via Cryptobox external sharing links without requiring direct interaction with the server during the attack.
Can you explain this vulnerability to me?
This vulnerability exists in the external sharing feature of Cryptobox. An attacker who knows the URL of a sharing link can retrieve information from the server that enables them to perform an offline brute-force attack on the access code associated with that sharing link.