CVE-2026-4588 identifies a vulnerability in kalcaddle kodbox version 1.64, specifically within the shareSafeGroup function located in /workspace/source-code/app/controller/explorer/shareOut.class.php. The issue stems from the use of a hard-coded cryptographic key in the Site-level API key Handler component. An attacker can remotely manipulate the 'sk' argument to exploit this hard-coded key, potentially bypassing intended security controls. The vulnerability does not require authentication or user interaction, but the attack complexity is high, indicating that exploitation demands significant effort or conditions. The hard-coded key undermines cryptographic security by allowing attackers to decrypt or forge data protected by this key, threatening confidentiality. The vendor was notified early but has not issued a patch or response, and no official fixes are currently available. Although no known exploits are actively used in the wild, the public disclosure increases the risk of future exploitation. The CVSS 4.0 vector (AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P) reflects a network attack vector with high complexity, no privileges or user interaction required, and limited confidentiality impact. This vulnerability is particularly relevant for organizations deploying kodbox 1.64 in internet-facing environments where the shareSafeGroup function is accessible.

The primary impact of CVE-2026-4588 is the potential compromise of confidentiality due to the use of a hard-coded cryptographic key. Attackers exploiting this vulnerability could decrypt sensitive data or forge authentication tokens related to the shareSafeGroup functionality, leading to unauthorized data access or manipulation. Although the exploit complexity is high, successful exploitation could result in exposure of protected files or sharing configurations, undermining trust in the application's security. There is no direct impact on integrity or availability reported. Organizations relying on kodbox 1.64 for file sharing or collaboration may face data breaches or unauthorized disclosure of sensitive information. The lack of vendor response and absence of patches prolong the exposure window, increasing risk over time. Given the remote attack vector and no requirement for authentication, internet-facing deployments are particularly vulnerable. The medium CVSS score reflects a balance between the difficulty of exploitation and the potential confidentiality impact.

To mitigate CVE-2026-4588, organizations should first assess whether they are running kodbox version 1.64 and identify any internet-facing instances exposing the shareSafeGroup functionality. Immediate mitigation steps include restricting network access to the affected API endpoints using firewalls or web application firewalls (WAFs) to limit exposure to trusted internal networks only. Employing network segmentation can reduce the attack surface. Since no official patch is available, consider disabling or restricting the use of the shareSafeGroup feature if feasible. Monitor application logs for unusual access patterns or manipulation attempts involving the 'sk' parameter. Implement compensating controls such as additional authentication layers or API gateways that validate requests before reaching kodbox. Regularly check for vendor updates or community patches addressing this vulnerability. Additionally, conduct security audits and penetration tests focusing on cryptographic key management and API security to identify and remediate similar weaknesses. Finally, educate development teams on secure coding practices to avoid hard-coded keys in future releases.