CVE Catalog

CVE-2026-56768

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.38%

30th percentile — higher than 30% of all known CVEs

Summary

A vulnerability in Seahub before version 13.0.23 allows unauthenticated users to bypass the SHARE_LINK_LOGIN_REQUIRED enforcement via a GET request to /api/v2.1/share-link-zip-task/. Attackers with a folder share-link token can obtain a fileserver zip token and download entire shared directory trees.

Risk Assessment

The organization is at risk of unauthorized access and data leakage, as attackers can download entire shared directories without required authentication.

Recommendation

Immediately upgrade Seahub to version 13.0.23 or later, which includes a fix that enforces authentication for this endpoint.

Original NVD description (English source)

Seahub before 13.0.23 does not enforce SHARE_LINK_LOGIN_REQUIRED on GET /api/v2.1/share-link-zip-task/, allowing unauthenticated users to bypass authentication. Attackers with a folder share-link token can call the GET endpoint to obtain a fileserver zip token and download entire shared directory trees.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS