Description
Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the thumbnail endpoint does not validate the password for password‑protected files. It checks ownership/admin for private files but skips password verification, allowing thumbnail access without the password. This issue has been patched in version 1.7.2.
Published: 2026-03-06
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized thumbnail access to password‑protected files
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists because the thumbnail endpoint in Flare does not perform password verification for files that are protected by a user‑supplied password. While the endpoint still checks for ownership or administrative rights on private files, it skips the password check entirely for protected files. This omission allows anyone who can formulate a request to the thumbnail URL to retrieve a visual preview of the file without knowing the password, thereby bypassing the intended access control and potentially revealing sensitive data or file metadata.

Affected Systems

FlintSH Flare prior to version 1.7.2. The flaw is present in any self‑hosted deployment of Flare that has not applied the patch included in release 1.7.2.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity vulnerability with complete data confidentiality impact. The EPSS score is below 1 %, and the vulnerability has not been identified in the CISA KEV catalog, suggesting a low probability of widespread exploitation. Nonetheless, the attack vector is straightforward: an attacker can issue a crafted HTTP request to the thumbnail endpoint for a known protected file, bypassing password authentication without requiring any additional credentials. The ease of exploitation combined with the high severity warrants prompt remediation.

Generated by OpenCVE AI on April 16, 2026 at 11:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flare to version 1.7.2 or later to re‑enable password validation for thumbnail requests.
  • If an upgrade is not immediately possible, configure the server to block or restrict access to the thumbnail endpoint for password‑protected files, for example by requiring authentication or by disabling thumbnail generation for such files.
  • Verify that other file‑display or download endpoints do not have similar missing authentication checks, and apply any applicable patches or configuration changes to enforce proper access control.

Generated by OpenCVE AI on April 16, 2026 at 11:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:flintsh:flare:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Flintsh
Flintsh flare
Vendors & Products Flintsh
Flintsh flare

Sat, 07 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

threat_severity

Important

Fri, 06 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the thumbnail endpoint does not validate the password for password‑protected files. It checks ownership/admin for private files but skips password verification, allowing thumbnail access without the password. This issue has been patched in version 1.7.2.
Title Flare: Password‑Protected Thumbnail Bypass
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Flintsh Flare
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:54:29.041Z

Reserved: 2026-03-04T17:23:59.797Z

Link: CVE-2026-30230

cve-icon Vulnrichment

Updated: 2026-03-09T20:47:34.472Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T21:16:17.077

Modified: 2026-04-09T20:20:02.933

Link: CVE-2026-30230

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-06T21:09:59Z

Links: CVE-2026-30230 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:15:27Z

Weaknesses