Flare file sharing platform allows unauthorized access to private files

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.0

Flare file sharing platform allows unauthorized access to private files

CVE-2026-30231

Summary

Flare, a self-hosted file sharing platform, had a security weakness that allowed anyone with an account and the file URL to access private files. This meant that if a user knew the URL of a private file, they could view it without permission. The issue has been fixed in version 1.7.2, so update to this version to protect your files.

Original title

Original description

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the raw and direct file routes only block unauthenticated users from accessing private files. Any authenticated, non‑owner user who knows the file URL can retrieve the content, which is inconsistent with stricter checks used by other endpoints. This issue has been patched in version 1.7.2.

nvd CVSS4.0 6.0

Vulnerability type

CWE-639 Authorization Bypass Through User-Controlled Key

https://github.com/FlintSH/Flare/security/advisories/GHSA-gwqr-xf5c-5569

Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026