PatchSiren cyber security CVE debrief
CVE-2026-56768 haiwen CVE debrief
CVE-2026-56768 is an authentication bypass vulnerability in Seahub's Share Link Zip Task View. The vulnerability exists because Seahub before version 13.0.23 does not enforce SHARE_LINK_LOGIN_REQUIRED on the GET /api/v2.1/share-link-zip-task/ endpoint. This allows unauthenticated users to bypass authentication and obtain a fileserver zip token by providing a folder share-link token. With this token, attackers can download entire shared directory trees. The vulnerability has a CVSS score of 8.7 and is considered HIGH severity. The CVE was published on 2026-06-25T19:16:43.840Z and last modified on 2026-06-30T05:19:58.563Z.
- Vendor
- haiwen
- Product
- seahub
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-25
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-06-25
- Advisory updated
- 2026-06-30
Who should care
Organizations using Seahub, especially those with publicly accessible share links, should be aware of this vulnerability. Attackers can exploit this issue to download sensitive files without authentication, potentially leading to data breaches. Users of Seahub versions prior to 13.0.23 are particularly at risk.
Technical summary
The vulnerability is caused by the lack of authentication enforcement on the GET /api/v2.1/share-link-zip-task/ endpoint in Seahub before version 13.0.23. Specifically, the SHARE_LINK_LOGIN_REQUIRED setting is not applied to this endpoint, allowing unauthenticated access. An attacker can exploit this by providing a valid folder share-link token to obtain a fileserver zip token, which can then be used to download entire directory trees shared via the platform.
Defensive priority
High priority should be given to updating Seahub to version 13.0.23 or later. In the meantime, defenders should review their current configurations and ensure that share links are not publicly accessible or restrict access to sensitive directories.
Recommended defensive actions
- Update Seahub to version 13.0.23 or later to enforce SHARE_LINK_LOGIN_REQUIRED on the affected endpoint.
- Review and restrict access to share links, especially those pointing to sensitive directories.
- Monitor for suspicious activity related to share link usage and zip task views.
- Implement additional authentication mechanisms for accessing shared directories and files.
- Conduct a thorough inventory of Seahub instances and their configurations to identify potential exposure.
Evidence notes
The CVE record and NVD details were obtained from official sources. The vulnerability was reported by an unknown source, but references include commits and issues from the Seahub GitHub repository. The accuracy of the CVSS score and severity classification should be verified with the official CVE and NVD records.
Official resources
This article is AI-assisted and based on the supplied source corpus.