Cloudreve is a self-hosted file management and sharing system. From 4.12.0 until 4.16.1, Cloudreve's OAuth access tokens are issued without the OAuth client_id claim, so the JWT verifier does not load token scopes into request context and RequiredScopes treats the request like non-scoped session authentication, allowing a low-scope OAuth access token to call APIs requiring higher scopes such as file, share, workflow, user setting, WebDAV account, and potentially admin scopes. This issue is fixed in version 4.16.1.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Wed, 15 Jul 2026 19:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Cloudreve
Cloudreve cloudreve |
|
| Vendors & Products |
Cloudreve
Cloudreve cloudreve |
Wed, 15 Jul 2026 15:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Cloudreve is a self-hosted file management and sharing system. From 4.12.0 until 4.16.1, Cloudreve's OAuth access tokens are issued without the OAuth client_id claim, so the JWT verifier does not load token scopes into request context and RequiredScopes treats the request like non-scoped session authentication, allowing a low-scope OAuth access token to call APIs requiring higher scopes such as file, share, workflow, user setting, WebDAV account, and potentially admin scopes. This issue is fixed in version 4.16.1. | |
| Title | Cloudreve: OAuth access tokens bypass scope enforcement due to missing client_id claim | |
| Weaknesses | CWE-863 | |
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-15T15:16:35.699Z
Reserved: 2026-06-15T19:04:14.457Z
Link: CVE-2026-54560
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T19:15:14Z
Weaknesses