This vulnerability (CWE-287) in linqi's /api/Cdn/GetFile endpoint arises from improper authentication logic in the ValidateAnonFileAccess function. If an 'AnonFile' query parameter of exactly 256 characters is supplied, the function incorrectly grants access, bypassing intended authorization checks. The exposed files are restricted to minified JS and CSS assets that are already publicly accessible via a CDN, limiting the security impact. No patch or official remediation level has been disclosed, and the product is not a cloud service.

The vulnerability allows unauthorized access to certain static resource files that are already publicly accessible and contain no sensitive information. Therefore, the actual security impact is negligible despite the authentication bypass. There are no known active exploits targeting this vulnerability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the exposed resources are non-sensitive and publicly accessible, immediate urgent remediation is not indicated. Monitor for vendor updates regarding fixes or mitigations.