Auth bypass in 9001 Copyparty

CVE-2026-32108

Copyparty is a portable file server. Prior to 1.20.12, there was a missing permission-check in the shares feature (the shr global-option). This vulnerability only applies when the shares feature is used for the specific purpose of creating…

Vulnerability class: Broken Access Control

EPSS: 0.000 (3.9th percentile) — read the EPSS interpretation.

Affected products

9001 Copyparty — versions < 1.20.12

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

https://github.com/9001/copyparty/security/advisories/GHSA-67rw-2x62-mqqm (x_refsource_CONFIRM)