CVE-2026-30231

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-30231
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30231.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-30231
Aliases
  • GHSA-gwqr-xf5c-5569
Published
2026-03-06T21:10:41.969Z
Modified
2026-04-10T05:41:48.883445Z
Severity
  • 6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Flare: Private File IDOR via raw/direct endpoints
Details

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the raw and direct file routes only block unauthenticated users from accessing private files. Any authenticated, non‑owner user who knows the file URL can retrieve the content, which is inconsistent with stricter checks used by other endpoints. This issue has been patched in version 1.7.2.

Database specific 
{
    "cwe_ids": [
        "CWE-639"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30231.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/flintsh/flare

Affected ranges

Type
GIT
Repo
https://github.com/flintsh/flare
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
cb494c26e75250756ca1a6f956d92807c104b5c9
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.7.2"
        }
    ]
}

Affected versions

Other
rolling
v1.*
v1.0.0
v1.1.0
v1.1.1
v1.2.0
v1.2.1
v1.3.0
v1.3.1
v1.4.0
v1.4.1
v1.4.2
v1.5.0
v1.5.1
v1.5.2
v1.6.0
v1.6.1
v1.6.2
v1.7.0
v1.7.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30231.json"