Password‑Protected Thumbnail Bypass
GHSA : https://github.com/FlintSH/Flare/security/advisories/GHSA-3x7v-x3r6-mjh7
CVE : CVE-2026-30230
Summary
The thumbnail endpoint does not validate the password for password‑protected files. It checks ownership/admin for private files but skips password verification, allowing thumbnail access without the password.
Affected Component
- Thumbnail endpoint: thumbnail/route.ts
Evidence (Code References)
- File password is fetched but never checked: thumbnail/route.ts:L32-L49
- Password checks exist in other endpoints:
- Download: download/route.ts:L50-L67
- Raw: raw/route.ts:L99-L107
Video POC
Impact
- Visual content of password‑protected files can be previewed through thumbnails without the password.
- Information disclosure of sensitive images despite password protection.
Expected vs Actual
- Expected: Password‑protected files require a valid password for any content access, including thumbnails.
- Actual: Thumbnail content is served without password verification.
Reproduction Checklist
- Create User A and upload an image with a password.
- Note the file ID.
- Log in as User B (non‑owner, non‑admin).
- Request the thumbnail for User A’s file without providing the password.
- Expected: access denied.
- Actual: thumbnail returned.
Consider aligning thumbnail checks with the download/raw endpoints for consistent behavior.
Verification Checklist
- Create a password‑protected image file.
- Access thumbnail as:
- Unauthenticated user → denied
- Authenticated non‑owner → denied unless password provided
- Owner/admin → allowed
- Confirm behavior matches download/raw endpoints.
No comments to display
No comments to display