Description
Liquidfiles versions before 4.2.12 are affected by a broken access control vulnerability resulting in privilege escalation from an Admin in a secondary domain to a Sysadmin by modifying a group in their managed secondary (non-default) group.
Published: 2026-06-20
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Liquidfiles versions prior to 4.2.12 contain a broken access control flaw that allows an administrator in a secondary domain to elevate privileges to system administrator by modifying a group in that secondary domain; the flaw permits unauthorized modification of group membership, directly granting sysadmin rights.

Affected Systems

The affected product is Liquidfiles. Versions before 4.2.12 are vulnerable; the issue occurs within secondary (non‑default) groups and can be triggered by users with administrative rights in those secondary domains.

Risk and Exploitability

The CVSS score of 5.9 indicates medium severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploitation at this time. The attack vector likely requires an attacker with admin rights in a secondary domain, so the risk is largely contained to users who are already privileged within that domain.

Generated by OpenCVE AI on June 20, 2026 at 14:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Liquidfiles to version 4.2.12 or later
  • Limit administrator privileges in secondary domains to only essential functions and restrict group modification capabilities
  • Enable and review audit logs for changes to group membership and administrative roles to detect unauthorized changes

Generated by OpenCVE AI on June 20, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 20 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Broken Access Control in Liquidfiles
First Time appeared Liquidfiles
Liquidfiles liquidfiles
Vendors & Products Liquidfiles
Liquidfiles liquidfiles

Sat, 20 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Liquidfiles versions before 4.2.12 are affected by a broken access control vulnerability resulting in privilege escalation from an Admin in a secondary domain to a Sysadmin by modifying a group in their managed secondary (non-default) group.
Weaknesses CWE-285
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Liquidfiles Liquidfiles
cve-icon MITRE

Status: PUBLISHED

Assigner: PRJBLK

Published:

Updated: 2026-06-20T12:36:23.104Z

Reserved: 2026-06-19T01:42:39.740Z

Link: CVE-2026-12673

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T15:15:07Z

Weaknesses