The vulnerability identified as CVE-2026-4588 affects kalcaddle kodbox version 1.64, specifically within the shareSafeGroup function located in /workspace/source-code/app/controller/explorer/shareOut.class.php. This function is part of the Site-level API key Handler component. The core issue is the use of a hard-coded cryptographic key, which is a significant security weakness because it undermines the confidentiality and integrity guarantees expected from cryptographic operations. An attacker can manipulate the 'sk' argument to trigger the use of this fixed key remotely, without requiring authentication or user interaction. Although the attack complexity is high and exploitation is difficult, the vulnerability is publicly disclosed and could be leveraged in targeted attacks. The CVSS 4.0 base score is 6.3, reflecting a medium severity level, with network attack vector, high attack complexity, no privileges required, and no user interaction needed. The impact is limited to confidentiality with no integrity or availability effects noted. The vendor has not responded to the disclosure, and no patches or mitigations have been officially released. This leaves users of kodbox 1.64 exposed to potential cryptographic key compromise and subsequent data leakage or unauthorized access to shared resources.

The primary impact of this vulnerability is the potential compromise of confidentiality for data shared or protected by the affected cryptographic key mechanism. Attackers exploiting this flaw could decrypt or forge data protected by the hard-coded key, leading to unauthorized data access or manipulation of shared content. Since kodbox is a file management and sharing platform, this could expose sensitive organizational data, intellectual property, or personal information. The lack of vendor response and absence of patches increase the risk exposure duration. Although exploitation is difficult, motivated attackers targeting organizations using kodbox 1.64 could leverage this vulnerability for espionage or data theft. The impact is mostly on confidentiality, with no direct effect on system availability or integrity. Organizations relying on kodbox for secure file sharing should consider this a significant risk, especially in environments where sensitive data is handled.

Given the absence of official patches or vendor guidance, organizations should implement several practical mitigations: 1) Immediately audit and monitor all instances of kodbox 1.64 for unusual access patterns or suspicious activity related to the shareSafeGroup function. 2) Restrict network access to kodbox instances to trusted IP ranges and enforce strict firewall rules to reduce exposure to remote attacks. 3) Where possible, disable or limit the use of the vulnerable shareSafeGroup functionality until a patch is available. 4) Employ additional encryption layers at the application or transport level to protect sensitive data independently of kodbox’s internal cryptography. 5) Consider upgrading to newer kodbox versions if available and verified to be free of this vulnerability. 6) Maintain regular backups and implement incident response plans to quickly address any potential compromise. 7) Engage in threat intelligence sharing to stay informed about any emerging exploits targeting this vulnerability. These steps go beyond generic advice by focusing on containment, layered security, and proactive monitoring specific to the vulnerability’s characteristics.