Description
Seahub before 13.0.23 does not enforce SHARE_LINK_LOGIN_REQUIRED on GET /api/v2.1/share-link-zip-task/, allowing unauthenticated users to bypass authentication. Attackers with a folder share-link token can call the GET endpoint to obtain a fileserver zip token and download entire shared directory trees.
Published: 2026-06-25
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an authentication bypass in SeaHub’s ShareLinkZipTaskView GET method, which fails to enforce the SHARE_LINK_LOGIN_REQUIRED policy. An attacker possessing a folder share‑link token can issue a GET request to /api/v2.1/share-link-zip-task/ and receive a ZIP token, enabling download of the entire shared directory tree. This flaw belongs to CWE-862: Authorization Boundary Defect and results in unauthorized disclosure of potentially sensitive files.

Affected Systems

The affected product is SeaHub by Haiwen. All versions prior to 13.0.23 are vulnerable. No other products or versions are listed by the CNA.

Risk and Exploitability

The CVSS vector scores the flaw as 8.7, indicating high severity. Although the EPSS score is unavailable and the vulnerability is not catalogued in CISA KEV, the lack of authentication guard and the ability to download arbitrary directories make exploitation straightforward over the network. Attackers must hold a valid shared‑link token, but once obtained they can bypass authentication and exfiltrate data from any accessible directory tree.

Generated by OpenCVE AI on June 25, 2026 at 20:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SeaHub to version 13.0.23 or later to apply the vendor patch that enforces authentication on the share‑link zip endpoint.
  • If an upgrade is not immediately possible, configure a reverse proxy or middleware rule that blocks unauthenticated GET requests to /api/v2.1/share-link-zip-task/ thereby restoring the missing authentication guard.
  • Revoke or rotate any existing share‑link tokens that could be exploited until the patch is applied, and consider disabling anonymous sharing if not required.

Generated by OpenCVE AI on June 25, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Haiwen
Haiwen seahub
Vendors & Products Haiwen
Haiwen seahub

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description Seahub before 13.0.23 does not enforce SHARE_LINK_LOGIN_REQUIRED on GET /api/v2.1/share-link-zip-task/, allowing unauthenticated users to bypass authentication. Attackers with a folder share-link token can call the GET endpoint to obtain a fileserver zip token and download entire shared directory trees.
Title Seahub < 13.0.23 - Authentication Bypass in ShareLinkZipTaskView GET Method
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Haiwen Seahub
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-25T18:05:06.817Z

Reserved: 2026-06-22T21:55:17.942Z

Link: CVE-2026-56768

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:36:43Z

Weaknesses