Seahub < 13.0.23 - Authentication Bypass in ShareLinkZipTaskView GET Method

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Seahub before 13.0.23 does not enforce SHARE_LINK_LOGIN_REQUIRED on GET /api/v2.1/share-link-zip-task/, allowing unauthenticated users to bypass authentication. Attackers with a folder share-link token can call the GET endpoint to obtain a fileserver zip token and download entire shared directory trees.

AI Analysis

Authentication bypass vulnerability in Seahub's ShareLinkZipTaskView GET method, allowing unauthenticated users to download shared directory trees.

Basic Information

ID CVE-2026-56768

Source VulnCheck

Published Jun 25, 2026 at 18:05

Affected Product

Vendor haiwen

Product seahub

Affected Versions haiwen seahub 0

CWE Classification

CWE-862

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor Seafile

Product Seahub

Version < 13.0.23

References

{
    "lastseen": "",
    "description": "Seahub before 13.0.23 does not enforce SHARE_LINK_LOGIN_REQUIRED on GET /api/v2.1/share-link-zip-task/, allowing unauthenticated users to bypass authentication. Attackers with a folder share-link token can call the GET endpoint to obtain a fileserver zip token and download entire shared directory trees.",
    "published": "2026-06-25T18:05:06.817Z",
    "modified": "2026-06-25T18:05:06.817Z",
    "type": "cve",
    "title": "Seahub < 13.0.23 - Authentication Bypass in ShareLinkZipTaskView GET Method",
    "source": "VulnCheck",
    "references": "https://plus.seafile.com/wiki/publish/seafile-wiki/v5D5/\nhttps://github.com/haiwen/seahub/issues/9050\nhttps://github.com/haiwen/seahub/commit/b609949cf64ed6a15708d0fb5ea9c179962e23cc\nhttps://github.com/haiwen/seahub/commit/162cddae0831188d02bb8d451dc2193e197dcc57\nhttps://www.vulncheck.com/advisories/seahub-authentication-bypass-in-sharelinkziptaskview-get-method",
    "id": "CVE-2026-56768",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "haiwen seahub 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "seahub",
    "version": "0",
    "vendor": "haiwen",
    "ai_description": "Authentication bypass vulnerability in Seahub's ShareLinkZipTaskView GET method, allowing unauthenticated users to download shared directory trees.",
    "ai_severity": "High",
    "ai_vendor": "Seafile",
    "ai_product": "Seahub",
    "ai_version": "< 13.0.23",
    "ai_score": 8.7
}

Seahub < 13.0.23 - Authentication Bypass in ShareLinkZipTaskView GET Method_CVE-2026-56768