Description
Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a crafted request.
Published: 2026-06-15
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Filestash v0.4.0 stems from incorrect access control in the /admin/api/config endpoint, which permits an attacker to elevate privileges by sending a crafted request. This flaw is a classic misconfiguration of access control (CWE-284) that can lead to unauthorized actions. The vulnerability can allow a non‑admin user to perform privileged administrative tasks, potentially compromising confidentiality, integrity, and availability of the system.

Affected Systems

Filestash, version 0.4.0. No other versions were mentioned or listed as affected in the available information. The vulnerability is specific to the admin API configuration component and is not reported to affect earlier or later releases according to the data provided.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score is very low (< 1%), suggesting a low likelihood of widespread exploitation at present. The vulnerability is not listed in CISA's KEV, meaning it has not been confirmed as widely exploited. The likely attack vector is via remote access to the Filestash server, as the /admin/api/config endpoint is an HTTP API. Attackers would need to craft a request that bypasses the incorrect access control and may succeed from a remote context if the endpoint is exposed. The risk remains significant due to the high severity, but exploitation likelihood is modest.

Generated by OpenCVE AI on June 17, 2026 at 23:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of Filestash that corrects the access control issue in /admin/api/config.
  • Restrict network access to the admin API endpoint so that only trusted administrators can reach it, using firewall rules or network segmentation.
  • Configure proper authentication and role‑based access control for the /admin/api/config endpoint to ensure only privileged users can access it.

Generated by OpenCVE AI on June 17, 2026 at 23:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Incorrect Access Control in Filestash 0.4.0

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Incorrect Access Control in Filestash 0.4.0

Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Filestash
Filestash filestash
Vendors & Products Filestash
Filestash filestash

Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a crafted request.
References

Subscriptions

Filestash Filestash
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-16T18:06:51.330Z

Reserved: 2026-06-07T00:00:00.000Z

Link: CVE-2026-50891

cve-icon Vulnrichment

Updated: 2026-06-16T18:06:40.745Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:32.110

Modified: 2026-06-16T19:17:00.440

Link: CVE-2026-50891

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T23:15:14Z

Weaknesses