Auth bypass in Flintsh Flare

CVE-2026-30230

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the thumbnail endpoint does not validate the password for password‑protected files. It checks ownership/admin for…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.000 (6.6th percentile) — read the EPSS interpretation.

Affected products

Flintsh Flare — versions < 1.7.2

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

https://github.com/FlintSH/Flare/security/advisories/GHSA-3x7v-x3r6-mjh7 (x_refsource_CONFIRM)