anonhaven
Ad

CVE-2026-32108

LOW CVSS 4.0: 2.3 EPSS 0.01%
Updated Mar 11, 2026
Copyparty
Parameter Value
CVSS 2.3 (LOW)
Fixed In 1.20.12
Type CWE-863 (Incorrect Authorization)
Vendor Copyparty
Public PoC No

Copyparty is a portable file server. Prior to 1.20.12, there was a missing permission-check in the shares feature (the shr global-option). This vulnerability only applies when the shares feature is used for the specific purpose of creating a share of just a single file inside a folder or either the FTP or SFTP server is enabled, and also made publicly accessible.

Given these conditions, when a user is browsing a share through either FTP or SFTP (not http or https), they can gain read-access to the remaining files inside the shared folder by guessing/bruteforcing the filenames. It was not possible to descend into subdirectories in this manner; only the sibling files were accessible. This vulnerability is similar to CVE-2025-58753 which was previously fixed for HTTP and HTTPS, but not for FTP.

The FTPS server did not yet exist at that time. This vulnerability is fixed in 1.20.12.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
Present
Additional conditions required
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
None
No data modification
Availability
None
No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-863 Incorrect Authorization

References 1

https://github.com/9001/copyparty/security/advisories/GHSA-67rw-2x62-mqqm
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-32109

Copyparty

3.7

CVE-2026-30974

9001

5.4

CVE-2026-27948

Copyparty

5.4