Description
Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by posting an arbitrary webui object to the config_data dictionary. Attackers can exploit insufficient deny-list filtering to permanently replace stored login credentials, lock out legitimate administrators, and gain persistent access to all configured tasks, cloud tokens, and notification services.
Published: 2026-05-13
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in Quark Drive versions older than 0.8.5, where the POST /update endpoint accepts an arbitrary webui object into the config_data dictionary without proper whitelist checks. An authenticated attacker can craft this payload to overwrite existing administrator credentials, lock out legitimate admins, and persistently control configured tasks, cloud tokens, and notifications. This mass assignment vulnerability (CWE‑915) undermines confidentiality, integrity, and availability of the administration functions.

Affected Systems

Affected installations belong to the Cp0204 quark-auto‑save product. All users running a version before 0.8.5 are vulnerable; the advisory indicates that v0.8.5 is the first release that addresses the flaw. The type of configuration change is beyond sub‑versions, so any earlier release is at risk.

Risk and Exploitability

The CVSS base score of 8.7 signals a high‑severity risk that permits loss of admin control. EPSS information is not available, but the exploit requires only local or remote authenticated access to the application’s update interface, meaning it could be abused wherever users can reach the service. The flaw is not listed in the CISA KEV catalog, suggesting no widely known public exploitation yet. Nonetheless, an attacker who can authenticate can rewrite credentials, enabling persistence and executing scheduled tasks without detection.

Generated by OpenCVE AI on May 13, 2026 at 21:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Quark Drive 0.8.5 or later to remove the unchecked mass assignment logic.
  • If an upgrade is delayed, limit network access to the /update endpoint to trusted administrators only, preventing arbitrary users from posting to the service.
  • Monitor the config_data dictionary for unexpected changes to administrator credentials and alert the security team immediately when such changes occur.

Generated by OpenCVE AI on May 13, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 00:00:00 +0000

Type Values Removed Values Added
Title Quark Drive < 0.8.5 Mass Assignment via POST /update Quark Drive (quark-auto-save) < 0.8.5 Mass Assignment via POST /update

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Cp0204
Cp0204 quark-auto-save
Vendors & Products Cp0204
Cp0204 quark-auto-save

Wed, 13 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by posting an arbitrary webui object to the config_data dictionary. Attackers can exploit insufficient deny-list filtering to permanently replace stored login credentials, lock out legitimate administrators, and gain persistent access to all configured tasks, cloud tokens, and notification services.
Title Quark Drive < 0.8.5 Mass Assignment via POST /update
Weaknesses CWE-915
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Cp0204 Quark-auto-save
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T23:42:23.993Z

Reserved: 2026-05-11T14:14:49.611Z

Link: CVE-2026-45229

cve-icon Vulnrichment

Updated: 2026-05-14T16:19:14.919Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T21:16:49.733

Modified: 2026-05-14T16:24:56.240

Link: CVE-2026-45229

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:33:34Z

Weaknesses
  • CWE-915

    Improperly Controlled Modification of Dynamically-Determined Object Attributes