Remote Download Vulnerability in Cloudreve File Management System
CVE-2026-54562
6.5MEDIUM
What is CVE-2026-54562?
In versions of Cloudreve prior to 4.16.1, a vulnerability exists within the remote download functionality. This feature improperly allows users to submit URLs which are then processed by the downloader without restrictions. In this scenario, a non-admin user with download rights could exploit the vulnerability to access internal URLs tied to the server, including those that are not meant for external access. This could lead to unauthorized data exposure and potential information leakage. The issue is resolved in version 4.16.1, whereby strict checks have been implemented to mitigate these risks.
Affected Version(s)
cloudreve < 4.16.1
