Broken Access Control Vulnerability in Liquidfiles by Liquidfiles
CVE-2026-12673

5.9MEDIUM

Key Information:

Vendor: Liquidfiles
Status: Liquidfiles
Vendor: CVE Published:; 20 June 2026

🔔 Create Liquidfiles Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-12673?

Liquidfiles versions prior to 4.2.12 exhibit a broken access control vulnerability that allows for privilege escalation. An attacker with Admin privileges in a secondary domain can exploit this vulnerability to gain Sysadmin access by manipulating group settings within their managed non-default group. This flaw potentially compromises the integrity and security of user privileges across the affected Liquidfiles platform.

Affected Version(s)

liquidfiles 0 < 4.2.12

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-12673 - Proof of Concept

References

https://docs.liquidfiles.com/release_notes/version_4-2-x....

vendor-advisory

https://projectblack.io/blog/liquidfiles-privilege-escala...

exploit

CVSS V4

Score:

5.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 20, 2026
👾
Exploit known to exist
Jun 20, 2026
Vulnerability published
Jun 20, 2026
Vulnerability Reserved
Jun 19, 2026

CVE-2026-12673 Data

JSON