← back
CVE-2026-30231

Flare: Private File IDOR via raw/direct endpoints

CVSS 6 MEDIUMEPSS 0.3%CWE-639
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
06 Mar 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the raw and direct file routes only block unauthenticated users from accessing private files. Any authenticated, non‑owner user who knows the file URL can retrieve the content, which is inconsistent with stricter checks used by other endpoints. This issue has been patched in version 1.7.2.
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products
FlintSH · Flare

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/FlintSH/Flare/security/advisories/GHSA-gwqr-xf5c-5569