CVE-2026-54560 in Cloudreve
Summary
by MITRE • 07/15/2026
Cloudreve is a self-hosted file management and sharing system. From 4.12.0 until 4.16.1, Cloudreve's OAuth access tokens are issued without the OAuth client_id claim, so the JWT verifier does not load token scopes into request context and RequiredScopes treats the request like non-scoped session authentication, allowing a low-scope OAuth access token to call APIs requiring higher scopes such as file, share, workflow, user setting, WebDAV account, and potentially admin scopes. This issue is fixed in version 4.16.1.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
Cloudreve represents a self-hosted file management and sharing platform that implements OAuth 2.0 authentication mechanisms for securing API access. The vulnerability described affects versions ranging from 4.12.0 through 4.16.1, creating a critical authorization bypass flaw that fundamentally undermines the system's security model. This issue stems from improper JWT token processing where the client_id claim is omitted during access token issuance, directly violating OAuth 2.0 specification requirements for proper token validation and scope enforcement.
The technical flaw manifests when the JWT verifier fails to properly parse and load token scopes into the request context, effectively nullifying the scope-based access control mechanisms that should govern API interactions. This omission creates a dangerous condition where the RequiredScopes middleware cannot properly validate whether incoming requests possess adequate privileges for specific operations. The vulnerability operates at the core of Cloudreve's authentication architecture, specifically targeting the token verification and authorization flow within the OAuth 2.0 implementation.
From an operational perspective, this vulnerability allows attackers to exploit low-scope OAuth access tokens to perform actions that require significantly higher privileges. The affected API endpoints include file management operations, sharing functionality, workflow processes, user settings modifications, WebDAV account operations, and potentially administrative functions. This privilege escalation capability means unauthorized users could gain access to sensitive data and system controls typically restricted to authenticated administrators or users with appropriate scope permissions.
The security implications extend beyond simple unauthorized access, as this vulnerability creates a pathway for potential data exfiltration, system compromise, and unauthorized modifications to critical user and system configurations. The issue aligns with CWE-284 Access Control Issues, specifically addressing inadequate permissions and scope validation in authentication systems. From an ATT&CK framework perspective, this vulnerability maps to privilege escalation techniques and credential access methods that enable adversaries to operate with elevated privileges within the target environment.
The fix implemented in version 4.16.1 addresses the core JWT processing logic to ensure proper client_id claim inclusion during token generation and validates that scope information is correctly loaded into request contexts. Organizations using Cloudreve should immediately upgrade to version 4.16.1 or later to remediate this vulnerability, while also implementing monitoring for unauthorized API access attempts. Security teams should conduct thorough audits of OAuth implementation across all affected versions and consider revoking existing tokens as a precautionary measure to prevent exploitation of this authorization bypass vulnerability.
This vulnerability demonstrates the critical importance of proper scope validation in OAuth implementations and highlights how seemingly minor configuration errors can lead to significant security compromises in file management systems that handle sensitive user data and system controls. The remediation process should include comprehensive testing of authentication flows and scope enforcement mechanisms to ensure that similar issues do not persist in other components of the system architecture.