Copyparty is a portable file server that prior to version 1.20.12 contained an authorization flaw (CWE-863) in its shares feature, specifically when sharing a single file inside a folder combined with FTP or SFTP servers enabled and publicly accessible. The vulnerability allows an attacker who can access the share via FTP or SFTP to bypass intended access restrictions by guessing or brute-forcing sibling filenames within the shared folder, thereby reading files that were not explicitly shared. This flaw does not permit directory traversal into subfolders, limiting the scope to sibling files only. The root cause is a missing permission check for FTP/SFTP access paths, similar to a previously addressed vulnerability affecting HTTP/HTTPS shares (CVE-2025-58753). FTPS was not affected at the time since it did not exist in the product. The vulnerability requires low privileges (authenticated user) and no user interaction, with network attack vector and low impact on confidentiality. The issue was publicly disclosed on March 11, 2026, and fixed in copyparty version 1.20.12. No known active exploits have been reported.

The primary impact of this vulnerability is unauthorized disclosure of files within a shared folder when FTP or SFTP servers are enabled and publicly accessible. Attackers can gain read access to files that were not intended to be shared by guessing filenames, potentially exposing sensitive or confidential information. However, the inability to traverse subdirectories limits the scope of data exposure. The vulnerability requires the shares feature to be used in a specific way and FTP/SFTP to be publicly accessible, which may reduce the attack surface. Organizations using copyparty for file sharing over FTP/SFTP in public or semi-public environments are at risk of data leakage. The low CVSS score reflects the limited severity, but sensitive data exposure could still have compliance and privacy implications. No impact on data integrity or availability is indicated. The lack of known exploits suggests limited active threat but does not preclude future exploitation.

To mitigate this vulnerability, organizations should upgrade copyparty to version 1.20.12 or later where the authorization check is properly enforced. Until upgrade is possible, administrators should avoid enabling the shares feature for single-file shares combined with FTP or SFTP servers that are publicly accessible. Restrict FTP/SFTP access to trusted networks or authenticated users only, and disable anonymous or public access. Implement strong filename policies to reduce the risk of successful brute-force guessing, such as using unpredictable filenames. Monitor FTP/SFTP logs for unusual access patterns or repeated failed attempts to guess filenames. Consider using FTPS or HTTPS shares instead, as these are not affected by this vulnerability. Regularly audit share configurations and permissions to ensure least privilege principles are enforced. Finally, educate users and administrators about the risks of exposing file shares over FTP/SFTP without proper access controls.