CVE-2026-56768

HIGH 8.8

Seahub < 13.0.23 - Authentication Bypass in ShareLinkZipTaskView GET Method

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

Seahub before 13.0.23 does not enforce SHARE_LINK_LOGIN_REQUIRED on GET /api/v2.1/share-link-zip-task/, allowing unauthenticated users to bypass authentication. Attackers with a folder share-link token can call the GET endpoint to obtain a fileserver zip token and download entire shared directory trees.

CWE	CWE-862
Vendor	haiwen
Product	seahub
Published	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for haiwen seahub

Be the first to know when new high vulnerabilities affecting haiwen seahub are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

haiwen / seahub

0 < 13.0.23

References

NVD ↗ CVE.org ↗ EPSS Data ↗

plus.seafile.com: https://plus.seafile.com/wiki/publish/seafile-wiki/v5D5/ github.com: https://github.com/haiwen/seahub/issues/9050 github.com: https://github.com/haiwen/seahub/commit/b609949cf64ed6a15708d0fb5ea9c179962e23cc github.com: https://github.com/haiwen/seahub/commit/162cddae0831188d02bb8d451dc2193e197dcc57 vulncheck.com: https://www.vulncheck.com/advisories/seahub-authentication-bypass-in-sharelinkziptaskview-get-method

Credits

George Chen