Auth bypass in Flintsh Flare

CVE-2026-30231

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the raw and direct file routes only block unauthenticated users from accessing private files. Any authenticated, n…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.000 (8.8th percentile) — read the EPSS interpretation.

Affected products

Flintsh Flare — versions < 1.7.2

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

https://github.com/FlintSH/Flare/security/advisories/GHSA-gwqr-xf5c-5569 (x_refsource_CONFIRM)