Description
Copyparty is a portable file server. Prior to 1.20.12, there was a missing permission-check in the shares feature (the shr global-option). This vulnerability only applies when the shares feature is used for the specific purpose of creating a share of just a single file inside a folder or either the FTP or SFTP server is enabled, and also made publicly accessible. Given these conditions, when a user is browsing a share through either FTP or SFTP (not http or https), they can gain read-access to the remaining files inside the shared folder by guessing/bruteforcing the filenames. It was not possible to descend into subdirectories in this manner; only the sibling files were accessible. This vulnerability is similar to CVE-2025-58753 which was previously fixed for HTTP and HTTPS, but not for FTP. The FTPS server did not yet exist at that time. This vulnerability is fixed in 1.20.12.
Published: 2026-03-11
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality Disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability originates from a missing permission check in Copyparty's shares feature when a single file is shared via the FTP or SFTP server. When the share is publicly accessible, an attacker who browses the share over FTP or SFTP can gain read access to any other files that reside in the same directory by guessing or brute‑forcing filenames. This grants confidentiality loss for sibling files but does not allow traversal into subdirectories or code execution.

Affected Systems

The issue affects all versions of Copyparty older than 1.20.12, released by vendor 9001. Users running these versions with the FTP or SFTP server enabled and shares configured to expose a single file through the shr global option are exposed.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity, and the EPSS probability is under 1%. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires an attacker to connect to the FTP or SFTP service, have the share publicly reachable, and guess or brute‑force filenames in the shared directory. Because the attack is limited to read operations on sibling files, the risk is low but still significant for sensitive data.

Generated by OpenCVE AI on March 17, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Copyparty to version 1.20.12 or later where the permission check is fixed.
  • If an upgrade is not immediately possible, disable the FTP or SFTP server, or remove public accessibility for shares that expose a single file.
  • Restrict share configuration to avoid exposing single files in directories that contain sensitive data.
  • Verify that the shares feature is not enabled for FTP or SFTP when not required.

Generated by OpenCVE AI on March 17, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-67rw-2x62-mqqm Copyparty ftp/sftp: Sharing a single file did not fully restrict source-folder access
History

Fri, 13 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:9001:copyparty:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared 9001
9001 copyparty
Vendors & Products 9001
9001 copyparty

Wed, 11 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Copyparty is a portable file server. Prior to 1.20.12, there was a missing permission-check in the shares feature (the shr global-option). This vulnerability only applies when the shares feature is used for the specific purpose of creating a share of just a single file inside a folder or either the FTP or SFTP server is enabled, and also made publicly accessible. Given these conditions, when a user is browsing a share through either FTP or SFTP (not http or https), they can gain read-access to the remaining files inside the shared folder by guessing/bruteforcing the filenames. It was not possible to descend into subdirectories in this manner; only the sibling files were accessible. This vulnerability is similar to CVE-2025-58753 which was previously fixed for HTTP and HTTPS, but not for FTP. The FTPS server did not yet exist at that time. This vulnerability is fixed in 1.20.12.
Title Copyparty ftp/sftp: Sharing a single file did not fully restrict source-folder access
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

9001 Copyparty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T19:47:10.628Z

Reserved: 2026-03-10T22:02:38.854Z

Link: CVE-2026-32108

cve-icon Vulnrichment

Updated: 2026-03-12T19:47:07.765Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T21:16:16.760

Modified: 2026-03-13T15:51:26.950

Link: CVE-2026-32108

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:37:19Z

Weaknesses