CVE-2026-25726

Source
https://cve.org/CVERecord?id=CVE-2026-25726
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25726.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-25726
Aliases
Published
2026-04-03T20:06:21.629Z
Modified
2026-07-08T08:12:41.976493990Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Cloudreve is vulnerable to Account Takeover via Weak Cryptographic Token Generation (Insecure PRNG Seeding)
Details

Cloudreve is a self-hosted file management and sharing system. Prior to version 4.13.0, the application uses the weak pseudo-random number generator math/rand seeded with time.Now().UnixNano() to generate critical security secrets, including the secretkey, and hashidsalt. These secrets are generated upon first startup and persisted in the database. An attacker can exploit this by obtaining the administrator's account creation time (via public API endpoints) to narrow the search window for the PRNG seed, and use known hashid to validate the seed. By brute-forcing the seed (demonstrated to take <3 hours on general consumer PC), an attacker can predict the secretkey. This allows them to forge valid JSON Web Tokens (JWTs) for any user, including administrators, leading to full account takeover and privilege escalation. This issue has been patched in version 4.13.0.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-338"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25726.json"
}
References

Affected packages

Git / github.com/cloudreve/cloudreve

Affected ranges

Type
GIT
Repo
https://github.com/cloudreve/cloudreve
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.13.0"
        }
    ],
    "cpe": "cpe:2.3:a:cloudreve:cloudreve:*:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

3.*
3.0.0
3.0.0-beta1
3.0.0-beta2
3.0.0-beta3
3.0.0-rc1
3.1.0
3.1.1
3.2.0
3.2.1
3.3.0
3.3.1
3.3.2
3.4.0
3.4.0-beta1
3.4.1
3.4.2
3.5.0
3.5.0-beta.3
3.5.0-beta1
3.5.0-beta2
3.5.1
3.5.2
3.5.3
3.6.0
3.6.0-beta1
3.6.1
3.6.2
3.7.0
3.7.1
3.8.0
3.8.0-beta1
3.8.1
3.8.2
3.8.3
4.*
4.0.0
4.0.0-beta.10
4.0.0-beta.11
4.0.0-beta.12
4.0.0-beta.13
4.0.0-beta.14
4.0.0-beta.6
4.0.0-beta.7
4.0.0-beta.8
4.0.0-beta.9
4.1.0
4.1.1
4.1.2
4.1.3
4.10.0
4.10.1
4.11.0
4.11.1
4.12.0
4.12.1
4.2.0
4.3.0
4.4.0
4.4.1
4.5.0
4.5.1
4.6.0
4.7.0
4.8.0
4.9.0
4.9.1
4.9.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25726.json"