Improper Authentication Bypass in linqi CDN File Access
CVE-2026-11345

6.9MEDIUM

Key Information:

Vendor: Linqi Gmbh
Status: Linqi
Vendor: CVE Published:; 5 June 2026

What is CVE-2026-11345?

An Improper Authentication vulnerability in the /api/Cdn/GetFile endpoint of linqi allows unauthenticated, remote attackers to bypass file access controls. The ValidateAnonFileAccess function incorrectly grants access if an 'AnonFile' query parameter containing exactly 256 characters is provided. While this flaw allows bypassing the intended authorization check, the actual security impact is negligible; the exposed resources are strictly limited to minified JavaScript and CSS files that contain no sensitive data and are already publicly accessible via a standard CDN.

Affected Version(s)

linqi 0 < 1.4.8.6

References

https://linqi.help/en/reference/security/security-advisor...

vendor-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 5, 2026
Vulnerability Reserved
Jun 5, 2026

Credit

Ianis BERNARD from NATO Cyber Security Centre (NCSC)

CVE-2026-11345 Data

JSON

Linqi Gmbh

What is CVE-2026-11345?

Affected Version(s)

References

CVSS V4

Timeline

Credit