FlintSH's Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions prior to 1.7.3 contain a path traversal vulnerability (CWE-22) in the /api/avatars/[filename] API endpoint. The vulnerability stems from improper sanitization of the filename URL parameter, which is directly passed to Node.js's path.join() function without validation. Additionally, the getFileStream() function does not perform any path validation. This allows attackers to include %2F-encoded '../' sequences in the filename parameter to traverse directories outside the intended uploads/avatars/ directory and read arbitrary files accessible to the Next.js process under the /app/ directory. While authentication is enforced via Next.js middleware, the default open registration setting enables any attacker to create an account and exploit the vulnerability immediately. The vulnerability impacts confidentiality by exposing sensitive files within the container. The flaw was assigned CVE-2026-30942 with a CVSS 4.0 score of 8.3 (high severity). No known exploits are reported in the wild as of publication. The issue is resolved in Flare version 1.7.3 by implementing proper input sanitization and path validation.

This vulnerability allows attackers to read arbitrary files within the application container, potentially exposing sensitive configuration files, credentials, or user data. Since the flaw requires only authenticated access and open registration is enabled by default, attackers can easily self-register and exploit the issue, increasing the attack surface. Exposure of sensitive files can lead to further compromise, including credential theft, privilege escalation, or lateral movement within the environment. Organizations hosting Flare instances may face data breaches, loss of confidentiality, and reputational damage. The impact is particularly severe for deployments containing sensitive or regulated data. Availability and integrity are not directly affected by this vulnerability, but confidentiality is significantly compromised.

Organizations should immediately upgrade all Flare instances to version 1.7.3 or later, where the vulnerability is fixed. If upgrading is not immediately possible, administrators should disable open registration to prevent unauthorized account creation and restrict access to trusted users only. Implement network-level access controls to limit exposure of the Flare application to trusted networks. Review and audit file permissions within the application container to minimize sensitive file exposure. Employ Web Application Firewalls (WAFs) with rules to detect and block path traversal attempts, particularly those involving encoded '../' sequences. Conduct thorough security testing and code reviews for any custom modifications to ensure proper input validation and path sanitization. Monitor logs for suspicious access patterns to the /api/avatars/ endpoint. Finally, educate users and administrators about the risks of path traversal vulnerabilities and the importance of timely patching.