CVE-2026-6569 - Vulnerability Details

- kodcloud KodExplorer fileGet Endpoint share.class.php improper authentication

Description

A vulnerability was identified in kodcloud KodExplorer up to 4.52. This impacts the function fileGet of the file /app/controller/share.class.php of the component fileGet Endpoint. Such manipulation of the argument fileUrl leads to improper authentication. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-04-19

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the fileGet function of the KodExplorer component permits manipulation of the fileUrl parameter to bypass authentication checks, enabling an attacker to retrieve files without proper authorization. The weakness is identified as an authentication bypass (CWE‑287) and can compromise the confidentiality of sensitive content stored on the affected system.

Affected Systems

The vulnerability affects the kodcloud KodExplorer product, specifically versions up to and including 4.52. Consequently any instance of KodExplorer within this version range susceptible to the fileGet endpoint is impacted.

Risk and Exploitability

The CVSS score of 6.9 places the issue in the medium severity range; however the lack of an EPSS score or KEV listing does not diminish the potential for exploitation. The description confirms that the attack can be launched remotely, and the absence of a vendor response suggests no immediate mitigation is in place. Attackers could remotely send crafted requests to the fileGet endpoint to retrieve arbitrary files, thereby potentially exposing internal data and breaching confidentiality. The risk is higher for deployments that expose the endpoint to untrusted networks and where authentication controls are not enforced externally.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

kodcloud

KodExplorer

affected

Version	Status	Constraints
`4.0`	affected	—
`4.1`	affected	—
`4.2`	affected	—
`4.3`	affected	—
`4.4`	affected	—
`4.5`	affected	—
`4.6`	affected	—
`4.7`	affected	—
`4.8`	affected	—
`4.9`	affected	—
`4.10`	affected	—
`4.11`	affected	—
`4.12`	affected	—
`4.13`	affected	—
`4.14`	affected	—
`4.15`	affected	—
`4.16`	affected	—
`4.17`	affected	—
`4.18`	affected	—
`4.19`	affected	—
`4.20`	affected	—
`4.21`	affected	—
`4.22`	affected	—
`4.23`	affected	—
`4.24`	affected	—
`4.25`	affected	—
`4.26`	affected	—
`4.27`	affected	—
`4.28`	affected	—
`4.29`	affected	—
`4.30`	affected	—
`4.31`	affected	—
`4.32`	affected	—
`4.33`	affected	—
`4.34`	affected	—
`4.35`	affected	—
`4.36`	affected	—
`4.37`	affected	—
`4.38`	affected	—
`4.39`	affected	—
`4.40`	affected	—
`4.41`	affected	—
`4.42`	affected	—
`4.43`	affected	—
`4.44`	affected	—
`4.45`	affected	—
`4.46`	affected	—
`4.47`	affected	—
`4.48`	affected	—
`4.49`	affected	—
`4.50`	affected	—
`4.51`	affected	—
`4.52`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check for and apply any official KodExplorer update that addresses the fileGet authentication bypass.
If no update is available, block or restrict external access to the /app/controller/share.class.php endpoint using firewall or reverse‑proxy rules.
Consider disabling the fileGet feature until a fixed version is deployed, or enforce strict authentication at the application layer to prevent unauthorized file access.

Generated by OpenCVE AI on April 19, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00061.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://vuldb.com/submit/789982
https://vuldb.com/vuln/358203
https://vuldb.com/vuln/358203/cti
https://vulnplus-note.wetolink.com/share/wgfZR6kXRApl

History

Sun, 19 Apr 2026 10:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in kodcloud KodExplorer up to 4.52. This impacts the function fileGet of the file /app/controller/share.class.php of the component fileGet Endpoint. Such manipulation of the argument fileUrl leads to improper authentication. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Title		kodcloud KodExplorer fileGet Endpoint share.class.php improper authentication
First Time appeared		Kodcloud Kodcloud kodexplorer
Weaknesses		CWE-287
CPEs		cpe:2.3:a:kodcloud:kodexplorer::::::::
Vendors & Products		Kodcloud Kodcloud kodexplorer
References		https://vuldb.com/submit/789982 https://vuldb.com/vuln/358203 https://vuldb.com/vuln/358203/cti https://vulnplus-note.wetolink.com/share/wgfZR6kXRApl
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:ND'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}`

Subscriptions

Kodcloud Kodexplorer

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-19T10:15:11.445Z

Updated: 2026-04-19T10:15:11.445Z

Reserved: 2026-04-18T19:06:56.726Z

Link: CVE-2026-6569

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-19T11:16:14.443

Modified: 2026-04-19T11:16:14.443

Link: CVE-2026-6569

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-19T11:30:15Z

Weaknesses

CWE-287

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object