Description
Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to 1.7.3, an authenticated path traversal vulnerability in /api/avatars/[filename] allows any logged-in user to read arbitrary files from within the application container. The filename URL parameter is passed to path.join() without sanitization, and getFileStream() performs no path validation, enabling %2F-encoded ../ sequences to escape the uploads/avatars/ directory and read any file accessible to the nextjs process under /app/. Authentication is enforced by Next.js middleware. However, on instances with open registration enabled (the default), any attacker can self-register and immediately exploit this. This vulnerability is fixed in 1.7.3.
Published: 2026-03-10
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file read and potential information disclosure within the application container
Action: Immediate Patch
AI Analysis

Impact

Flare, a self‑hostable file sharing platform based on Next.js, contains a path traversal flaw in the /api/avatars/[filename] endpoint. The filename parameter is fed directly into path.join() without sanitization, and the subsequent getFileStream() call performs no path validation. This allows a logged‑in user to request specially crafted URLs containing percent‑encoded '../' sequences that escape the intended uploads/avatars/ directory and read any file readable by the Next.js process under the /app/ directory. The flaw, identified as CWE‑22, results in arbitrary file read and potential information disclosure within the container.

Affected Systems

FlintSH’s Flare platform, specifically any release version before 1.7.3, is affected. Users running v1.7.2 or earlier, including the default distribution that enables open registration, are vulnerable. The issue is mitigated in the 1.7.3 release and later.

Risk and Exploitability

A high CVSS score of 8.3 indicates significant impact. Although the EPSS score is below 1% and the vulnerability is not listed in the CISA known exploited vulnerability catalog, based on the description it is inferred that the attack vector is straightforward: an attacker can either self‑register (when open registration is enabled) or use existing credentials to authenticate, then issue a request to the vulnerable endpoint with a crafted filename. This traversal yields arbitrary file reads and could expose sensitive configuration or code files, potentially leading to further compromise. Therefore, the risk is high, especially on publicly exposed instances.

Generated by OpenCVE AI on April 17, 2026 at 11:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flare to version 1.7.3 or later, which removes the unsanitized path handling.
  • If an immediate upgrade is not possible, disable open registration or enforce strong authentication to prevent unauthenticated users from creating an account.
  • Restrict file access on the reverse proxy or within the application by limiting the /api/avatars endpoint to only serve files from the intended directory and rejecting any requests containing path traversal patterns.

Generated by OpenCVE AI on April 17, 2026 at 11:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:flintsh:flare:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

threat_severity

Important

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Flintsh
Flintsh flare
Vendors & Products Flintsh
Flintsh flare

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to 1.7.3, an authenticated path traversal vulnerability in /api/avatars/[filename] allows any logged-in user to read arbitrary files from within the application container. The filename URL parameter is passed to path.join() without sanitization, and getFileStream() performs no path validation, enabling %2F-encoded ../ sequences to escape the uploads/avatars/ directory and read any file accessible to the nextjs process under /app/. Authentication is enforced by Next.js middleware. However, on instances with open registration enabled (the default), any attacker can self-register and immediately exploit this. This vulnerability is fixed in 1.7.3.
Title Flare has a Path Traversal in /api/avatars/[filename]
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Flintsh Flare
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T17:40:03.168Z

Reserved: 2026-03-07T17:34:39.978Z

Link: CVE-2026-30942

cve-icon Vulnrichment

Updated: 2026-03-10T17:39:52.445Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:54.093

Modified: 2026-03-18T16:40:18.310

Link: CVE-2026-30942

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-10T16:44:10Z

Links: CVE-2026-30942 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T11:45:06Z

Weaknesses