PatchSiren cyber security CVE debrief
CVE-2026-11345 linqi GmbH CVE debrief
CVE-2026-11345 is an Improper Authentication vulnerability in the /api/Cdn/GetFile endpoint of linqi. This flaw allows unauthenticated, remote attackers to bypass file access controls by providing an 'AnonFile' query parameter containing exactly 256 characters. However, the actual security impact is negligible as the exposed resources are limited to minified JavaScript and CSS files that contain no sensitive data and are already publicly accessible via a standard CDN.
- Vendor
- linqi GmbH
- Product
- linqi
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-05
Who should care
Users of linqi should be aware of this vulnerability and take necessary actions to protect their systems.
Technical summary
The ValidateAnonFileAccess function incorrectly grants access if an 'AnonFile' query parameter containing exactly 256 characters is provided. This allows bypassing the intended authorization check.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply patches or updates provided by the vendor to fix the vulnerability.
- Review and adjust file access controls to prevent unauthorized access.
Evidence notes
The CVSS score for this vulnerability is 6.9 (MEDIUM).
Official resources
-
CVE-2026-11345 CVE record
CVE.org
-
CVE-2026-11345 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
86c47df7-7d28-48da-920a-6423c52fd3da
CVE-2026-11345 was published on 2026-06-05T12:16:37.447Z and modified on 2026-06-05T16:07:31.547Z.