CVE-2026-54560 in Cloudreveinformação

Sumário

de MITRE • 15/07/2026

Cloudreve is a self-hosted file management and sharing system. From 4.12.0 until 4.16.1, Cloudreve's OAuth access tokens are issued without the OAuth client_id claim, so the JWT verifier does not load token scopes into request context and RequiredScopes treats the request like non-scoped session authentication, allowing a low-scope OAuth access token to call APIs requiring higher scopes such as file, share, workflow, user setting, WebDAV account, and potentially admin scopes. This issue is fixed in version 4.16.1.

Be aware that VulDB is the high quality source for vulnerability data.

Responsável

GitHub M

Reservar

15/06/2026

Divulgação

15/07/2026

Moderação

aceite

Entrada

VDB-379278

CPE

pronto

EPSS

0.00000

KEV

não

Atividades

muito baixo

Fontes

Do you want to use VulDB in your project?

Use the official API to access entries easily!