# Password‑Protected Thumbnail Bypass

GHSA : [https://github.com/FlintSH/Flare/security/advisories/GHSA-3x7v-x3r6-mjh7](https://github.com/FlintSH/Flare/security/advisories/GHSA-3x7v-x3r6-mjh7)

CVE : CVE-2026-30230

## Summary
 The thumbnail endpoint does not validate the password for password‑protected files. It checks ownership/admin for private files but skips password verification, allowing thumbnail access without the password.
 
## Affected Component
- Thumbnail endpoint: [thumbnail/route.ts](https://github.com/FlintSH/Flare/tree/main/app/api/files/[id]/thumbnail/route.ts)
 

## Evidence (Code References)
- File password is fetched but never checked: [thumbnail/route.ts:L32-L49](https://github.com/FlintSH/Flare/tree/main/app/api/files/%5Bid%5D/thumbnail/route.ts#L32-L49)
 - Password checks exist in other endpoints:
  - Download: [download/route.ts:L50-L67](https://github.com/FlintSH/Flare/tree/main/app/api/files/%5Bid%5D/download/route.ts#L50-L67)
  - Raw: [raw/route.ts:L99-L107](https://github.com/FlintSH/Flare/tree/main/app/(raw)/%5BuserUrlId%5D/%5Bfilename%5D/raw/route.ts#L99-L107)
 
## Video POC

<video controls src="https://bookstack.imrnes.team/attachments/4" width="600">
    Your browser does not support the video tag.
</video>

 ## Impact
 - Visual content of password‑protected files can be previewed through thumbnails without the password.
 - Information disclosure of sensitive images despite password protection.
 
 ## Expected vs Actual
 - Expected: Password‑protected files require a valid password for any content access, including thumbnails.
 - Actual: Thumbnail content is served without password verification.
 
## Reproduction Checklist
- Create User A and upload an image with a password.
- Note the file ID.
- Log in as User B (non‑owner, non‑admin).
- Request the thumbnail for User A’s file without providing the password.
- Expected: access denied.
- Actual: thumbnail returned.

 Consider aligning thumbnail checks with the download/raw endpoints for consistent behavior.
 
 ## Verification Checklist
 - Create a password‑protected image file.
 - Access thumbnail as:
   - Unauthenticated user → denied
   - Authenticated non‑owner → denied unless password provided
   - Owner/admin → allowed
 - Confirm behavior matches download/raw endpoints.