Flare <= 1.7.1: Passwords Not Verified for Protected Files

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.2

Flare <= 1.7.1: Passwords Not Verified for Protected Files

CVE-2026-30230

Summary

If you use Flare to share sensitive files, an attacker could potentially access the thumbnail of those files without knowing the password, as long as they have ownership or admin access. This was fixed in version 1.7.2. Update to the latest version to patch this issue.

Original title

Original description

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the thumbnail endpoint does not validate the password for password‑protected files. It checks ownership/admin for private files but skips password verification, allowing thumbnail access without the password. This issue has been patched in version 1.7.2.

nvd CVSS4.0 8.2

Vulnerability type

CWE-639 Authorization Bypass Through User-Controlled Key

https://github.com/FlintSH/Flare/security/advisories/GHSA-3x7v-x3r6-mjh7

Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026