CVE-2026-30230 | THREATINT

Description

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the thumbnail endpoint does not validate the password for password‑protected files. It checks ownership/admin for private files but skips password verification, allowing thumbnail access without the password. This issue has been patched in version 1.7.2.

PUBLISHED Reserved 2026-03-04 | Published 2026-03-06 | Updated 2026-03-06 | Assigner GitHub_M

HIGH: 8.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-639: Authorization Bypass Through User-Controlled Key

Product status

< 1.7.2

affected

References

github.com/.../Flare/security/advisories/GHSA-3x7v-x3r6-mjh7

cve.org (CVE-2026-30230)

nvd.nist.gov (CVE-2026-30230)

Download JSON