CVE-2016-5026 Onionshare CVE debrief

Who should care

Administrators and users running OnionShare on shared Linux or Unix-like systems, especially where multiple local accounts can interact with /tmp. Security teams should care if OnionShare is used in environments with untrusted local users.

Technical summary

NVD classifies the issue as CWE-284 (Improper Access Control) with CVSS 3.0 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. The vulnerability affects OnionShare versions up to and including 0.9.0. By pre-creating /tmp/onionshare, a local user could interfere with hs.py's handling of the hidden service and alter it before the application secured the directory or otherwise validated its state.

Defensive priority

Medium. The issue requires local access, but it can enable meaningful integrity impact on shared systems and should be remediated where OnionShare is deployed alongside untrusted local users.

Recommended defensive actions

• Upgrade OnionShare to version 0.9.1 or later.
• Review deployments on multi-user systems for shared /tmp usage and local account separation.
• Restrict who can log into systems running OnionShare when practical.
• Monitor for unexpected filesystem state under /tmp/onionshare during startup.
• Validate that the installed OnionShare version is outside the affected range (0.9.0 and earlier).

Evidence notes

The CVE description states that hs.py in OnionShare before 0.9.1 allows local users to modify the hidden service by pre-creating /tmp/onionshare. NVD lists the affected CPE range as OnionShare through 0.9.0 and assigns CWE-284. This debrief stays within the supplied record and does not infer exploit details beyond the documented local directory pre-creation behavior.

Official resources