CVE-2026-30230
HIGHFlare < 1.7.2 - Unauthenticated Password Bypass in Thumbnail Endpoint
Title source: llmDescription
Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the thumbnail endpoint does not validate the password for password‑protected files. It checks ownership/admin for private files but skips password verification, allowing thumbnail access without the password. This issue has been patched in version 1.7.2.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/FlintSH/Flare/security/advisories/GHSA-3x7v-x3r6-mjh7
Scores
CVSS v3
7.5
EPSS
0.0038
EPSS Percentile
29.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-639
Status
published
Products (1)
flintsh/flare
< 1.7.2
Published
Mar 06, 2026
Tracked Since
Mar 07, 2026