Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.3
Copyparty File Server Allows Unwanted Access to Shared Files
CVE-2026-32108
GHSA-67rw-2x62-mqqm
Summary
If you use the sharing feature in Copyparty, a file server, and allow users to access files via FTP or SFTP, they may be able to view files they shouldn't be able to. This is because of a mistake in the way Copyparty checks permissions. To fix this, update to version 1.20.12 or later.
What to do
- Update copyparty to version 1.20.12.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | copyparty | <= 1.20.12 | 1.20.12 |
| 9001 | copyparty | <= 1.20.12 | – |
Original title
Copyparty is a portable file server. Prior to 1.20.12, there was a missing permission-check in the shares feature (the shr global-option). This vulnerability only applies when the shares feature is...
Original description
Copyparty is a portable file server. Prior to 1.20.12, there was a missing permission-check in the shares feature (the shr global-option). This vulnerability only applies when the shares feature is used for the specific purpose of creating a share of just a single file inside a folder or either the FTP or SFTP server is enabled, and also made publicly accessible. Given these conditions, when a user is browsing a share through either FTP or SFTP (not http or https), they can gain read-access to the remaining files inside the shared folder by guessing/bruteforcing the filenames. It was not possible to descend into subdirectories in this manner; only the sibling files were accessible. This vulnerability is similar to CVE-2025-58753 which was previously fixed for HTTP and HTTPS, but not for FTP. The FTPS server did not yet exist at that time. This vulnerability is fixed in 1.20.12.
nvd CVSS4.0
2.3
Vulnerability type
CWE-863
Incorrect Authorization
Published: 11 Mar 2026 · Updated: 14 Mar 2026 · First seen: 11 Mar 2026