Mass Assignment Vulnerability in Quark Drive by Cp0204
CVE-2026-45229

8.7HIGH

Key Information:

Vendor

Cp0204

Status
Quark-auto-save
Vendor
CVE Published:
13 May 2026

What is CVE-2026-45229?

Quark Drive prior to version 0.8.5 is vulnerable to a mass assignment flaw that allows authenticated attackers to overwrite administrator credentials. By exploiting the POST /update endpoint, attackers can inject arbitrary data into the config_data dictionary, bypassing insufficient deny-list filtering. This can lead to unauthorized access by permanently replacing legitimate administrator login information, effectively locking out the rightful administrators. As a result, attackers can gain persistent access to all tasks, cloud tokens, and notification services configured within the application.

Affected Version(s)

quark-auto-save 0

quark-auto-save 0 < 0.8.5

quark-auto-save ea8377a596446291953dbe36e2d119d85bcd865b

References

https://github.com/Cp0204/quark-auto-save/releases/tag/v0...
release-notes
https://github.com/Cp0204/quark-auto-save/commit/ea8377a5...
patch
https://www.vulncheck.com/advisories/quark-drive-mass-ass...
third-party-advisory

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Katriel Moses
.