Remote Download Vulnerability in Cloudreve File Management System
CVE-2026-54562

6.5MEDIUM

Key Information:

Vendor

Cloudreve

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-54562?

In versions of Cloudreve prior to 4.16.1, a vulnerability exists within the remote download functionality. This feature improperly allows users to submit URLs which are then processed by the downloader without restrictions. In this scenario, a non-admin user with download rights could exploit the vulnerability to access internal URLs tied to the server, including those that are not meant for external access. This could lead to unauthorized data exposure and potential information leakage. The issue is resolved in version 4.16.1, whereby strict checks have been implemented to mitigate these risks.

Affected Version(s)

cloudreve < 4.16.1

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.