CVE-2026-54560

Source
https://cve.org/CVERecord?id=CVE-2026-54560
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54560.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54560
Aliases
  • GHSA-vgj4-345g-jcf8
Published
2026-07-15T14:40:24.765Z
Modified
2026-07-17T03:47:38.826324665Z
Severity
  • 7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L CVSS Calculator
Summary
Cloudreve: OAuth access tokens bypass scope enforcement due to missing client_id claim
Details

Cloudreve is a self-hosted file management and sharing system. From 4.12.0 until 4.16.1, Cloudreve's OAuth access tokens are issued without the OAuth client_id claim, so the JWT verifier does not load token scopes into request context and RequiredScopes treats the request like non-scoped session authentication, allowing a low-scope OAuth access token to call APIs requiring higher scopes such as file, share, workflow, user setting, WebDAV account, and potentially admin scopes. This issue is fixed in version 4.16.1.

Database specific
{
    "cwe_ids": [
        "CWE-863"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54560.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/cloudreve/cloudreve

Affected ranges

Type
GIT
Repo
https://github.com/cloudreve/cloudreve
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "4.12.0"
        },
        {
            "fixed": "4.16.1"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

4.*
4.12.0
4.12.1
4.13.0
4.14.0
4.14.1
4.15.0
4.16.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54560.json"