CVE-2026-4831 - Vulnerability Details

- kalcaddle kodbox Password-protected Share auth.class.php can improper authentication

Description

A security flaw has been discovered in kalcaddle kodbox 1.64. Impacted is the function can of the file /workspace/source-code/app/controller/explorer/auth.class.php of the component Password-protected Share Handler. Performing a manipulation results in improper authentication. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-03-26

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Password‑Protected Share Handler of kalcaddle kodbox allows an attacker to bypass authentication in the auth.class.php controller. By manipulating the request, an unauthorized user can gain access to protected resources and view or download data that should be restricted. This unauthorized access is a direct result of an authentication failure (CWE-287).

Affected Systems

The vulnerability affects kalcaddle kodbox version 1.64. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, and the absence of an EPSS entry combined with the fact that it is not listed in CISA's Known Exploited Vulnerabilities catalog suggests limited widespread exploitation so far. However, a public exploit has been released and the attack can be performed remotely. The complexity is high and the exploitability is considered difficult, yet an attacker with sufficient skill can forge a request that bypasses the authentication check and gain unauthorized access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

kalcaddle

kodbox

affected

Version	Status	Constraints
`1.64`	affected	—

No data.

Vendor Product Confidence Versions

Kalcaddle

Kodbox

100%

Version	Status	Scheme	Platform
`1.64`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any available patch from kalcaddle for version 1.64 as soon as it is released.
If a patch is not yet available, disable the Password‑Protected Share Handler or remove the auth class from the publicly exposed web root until a fix isRestrict external access to the kodbox installation with firewall rules or network segmentation so that only trusted hosts can reach the vulnerable endpoint.
Implement an additional authentication layer, such as multi‑factor authentication, around the protected resource area.
Monitor access logs for repeated failed or suspicious login attempts and alert on potential exploitation attempts.

Generated by OpenCVE AI on March 26, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00074.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://vuldb.com/?ctiid.353128
https://vuldb.com/?id.353128
https://vuldb.com/?submit.775502
https://vulnplus-note.wetolink.com/share/xdk9igJ3sulk

History

Thu, 26 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kalcaddle Kalcaddle kodbox
Vendors & Products		Kalcaddle Kalcaddle kodbox

Thu, 26 Mar 2026 01:45:00 +0000

Type	Values Removed	Values Added
Description		A security flaw has been discovered in kalcaddle kodbox 1.64. Impacted is the function can of the file /workspace/source-code/app/controller/explorer/auth.class.php of the component Password-protected Share Handler. Performing a manipulation results in improper authentication. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title		kalcaddle kodbox Password-protected Share auth.class.php can improper authentication
Weaknesses		CWE-287
References		https://vuldb.com/?ctiid.353128 https://vuldb.com/?id.353128 https://vuldb.com/?submit.775502 https://vulnplus-note.wetolink.com/share/xdk9igJ3sulk
Metrics		cvssV2_0 `{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Kalcaddle Kodbox

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-26T01:02:35.060Z

Updated: 2026-03-26T14:16:51.497Z

Reserved: 2026-03-25T14:11:38.305Z

Link: CVE-2026-4831

Vulnrichment

Updated: 2026-03-26T14:16:47.935Z

NVD

Status : Deferred

Published: 2026-03-26T02:16:08.113

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-4831

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-26T12:08:53Z

Weaknesses

CWE-287

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object