CVE-2026-54562 in Cloudreveinfo

Summary

by MITRE • 07/15/2026

Cloudreve is a self-hosted file management and sharing system. Prior to 4.16.1, Cloudreve's remote download workflow accepts user-supplied URLs at POST /api/v4/workflow/download and passes them to the configured downloader without blocking loopback, localhost, IPv6 localhost, or redirect-to-loopback targets, allowing a non-admin user with remote download permission to fetch internal-only URLs and read the response after it is imported into the user's own files. This issue is fixed in version 4.16.1.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability in Cloudreve versions prior to 4.16.1 represents a critical access control flaw that enables unauthorized information disclosure through improper URL validation in the remote download functionality. This weakness exists within the workflow processing system where user-supplied URLs are accepted without sufficient sanitization or validation checks, creating an avenue for privilege escalation and data exfiltration. The vulnerability specifically affects the POST endpoint at /api/v4/workflow/download which serves as the entry point for remote file downloading operations.

The technical implementation flaw stems from the absence of loopback address filtering within the downloader configuration, allowing malicious actors to specify internal network addresses such as 127.0.0.1, localhost, or IPv6 equivalent addresses. This validation gap enables attackers to bypass normal access restrictions by targeting internal services that would otherwise be protected from external access. The system fails to properly validate URL schemes and target addresses against known internal network ranges, effectively permitting requests to loopback interfaces regardless of user privileges.

Operationally, this vulnerability creates a severe security risk for organizations relying on Cloudreve for file management, as it allows non-administrative users with remote download permissions to access internal-only resources that should remain restricted. The impact extends beyond simple information disclosure to potentially enable further reconnaissance activities, as attackers can probe internal services and gather intelligence about the network infrastructure. When combined with other vulnerabilities or attack vectors, this weakness could facilitate more sophisticated attacks such as internal network enumeration or service exploitation.

The fix implemented in version 4.16.1 addresses this through enhanced URL validation mechanisms that block loopback addresses and redirect chains leading to internal targets. This remediation aligns with security best practices for input validation and access control enforcement, preventing unauthorized access to internal resources while maintaining legitimate functionality for external file downloads. Organizations should prioritize updating to version 4.16.1 or later to mitigate this risk.

This vulnerability type corresponds to CWE-20: Improper Input Validation and falls under the ATT&CK technique T1071.004: Application Layer Protocol: DNS, where attackers exploit application-level protocols to gain unauthorized access. The weakness represents a classic case of insufficient validation leading to information disclosure and potential privilege escalation within cloud-based file management systems.

The security implications extend beyond immediate data exposure to include potential for internal network reconnaissance and service discovery activities. Attackers could leverage this vulnerability to map internal services, identify running applications, and potentially exploit other vulnerabilities in the internal infrastructure that may not be exposed to external networks. This makes the vulnerability particularly dangerous in environments where internal network segmentation is critical for security posture.

Organizations should implement additional monitoring around the remote download API endpoint to detect suspicious activities involving loopback address patterns or unusual download behaviors. The mitigation strategy should also include regular security assessments of file management systems to identify similar validation gaps in other applications and services within the infrastructure ecosystem.

Responsible

GitHub M

Reservation

06/15/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!