CVE-2026-30230 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting FlintSH's Flare, a Next.js-based self-hostable file sharing platform. The vulnerability resides in the thumbnail endpoint of Flare versions prior to 1.7.2. Although Flare enforces ownership and admin checks for private files, it fails to validate the password for password-protected files when serving thumbnails. This means that an attacker can request thumbnails of password-protected files without supplying or verifying the correct password, effectively bypassing the intended access control mechanisms. The flaw does not require any privileges or user interaction and can be exploited remotely over the network. The CVSS 4.0 base score is 8.2 (high), reflecting the ease of exploitation and the high confidentiality impact due to unauthorized access to potentially sensitive thumbnails. The vulnerability was publicly disclosed on March 6, 2026, and has been addressed in Flare version 1.7.2. No known exploits have been reported in the wild to date. This vulnerability highlights the importance of consistent access control enforcement across all endpoints, especially in file sharing platforms where sensitive data exposure can have significant consequences.

The primary impact of CVE-2026-30230 is unauthorized disclosure of sensitive information through access to thumbnails of password-protected files without proper authentication. Organizations using vulnerable versions of Flare risk exposure of confidential or proprietary data, which could lead to privacy violations, intellectual property theft, or reputational damage. Since the flaw allows remote, unauthenticated access, attackers can easily exploit it to gather intelligence or conduct further attacks. Although the vulnerability does not allow modification or deletion of files, the confidentiality breach alone is significant. This could be particularly damaging for enterprises, government agencies, or any organization handling sensitive or regulated data. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as threat actors may develop exploits following public disclosure. Overall, this vulnerability undermines trust in the platform's security and could result in compliance issues for organizations subject to data protection regulations.

1. Upgrade all instances of FlintSH Flare to version 1.7.2 or later, where the vulnerability has been patched. 2. Until patching is complete, restrict access to the thumbnail endpoint via network controls such as firewalls or reverse proxies to trusted users only. 3. Review and audit access control policies for all file sharing endpoints to ensure consistent enforcement of password verification and ownership checks. 4. Implement monitoring and alerting for unusual access patterns to the thumbnail endpoint, such as repeated unauthorized requests. 5. Educate users and administrators about the importance of applying security updates promptly and verifying platform configurations. 6. Consider additional application-layer protections like Web Application Firewalls (WAFs) that can detect and block unauthorized thumbnail requests. 7. Conduct penetration testing focused on authorization controls to identify similar weaknesses in other parts of the platform.