Cloudreve OAuth Scope Bypass Vulnerability

Vulnerability

A vulnerability in Cloudreve's OAuth implementation allows access tokens to bypass scope enforcement. This issue affects versions 4.12.0 through 4.16.0. The vulnerability arises because access tokens are issued without the 'client_id' claim, leading the JWT verifier to skip loading token scopes into the request context. As a result, low-scope tokens can access APIs requiring higher scopes, such as file management, sharing, workflow, user settings, WebDAV accounts, and potentially admin privileges.

Impact

Exploitation of this vulnerability allows OAuth access tokens to bypass scope checks, enabling access to APIs and functionalities that require higher privileges than those granted by the token's actual scope. This could lead to unauthorized access or modification of files, shares, workflows, user settings, and WebDAV account management for regular users. For administrators, it could allow access to admin-specific APIs without the proper scope authorization.

Reproduction

To reproduce this vulnerability, create or use an OAuth client with a low-privilege scope, such as 'openid'. Complete the OAuth authorization code flow for a normal user, requesting the 'openid' scope. Exchange the authorization code for an access token via the '/api/v4/session/oauth/token' endpoint. Decode the access token to verify that it contains the requested scopes but lacks the 'client_id' claim. Then, use the access token to call an API that requires a higher scope, such as 'Files.Read' or 'Admin.Write'. The request should be processed successfully, bypassing the scope check.

Remediation

Users can update to Cloudreve version 4.16.1, where this vulnerability has been fixed.

Added: Jul 15, 2026, 3:46 PM
Updated: Jul 15, 2026, 3:46 PM

Vulnerability Rating

Custom Algorithm
spread
6.4
impact
5.0
exploitability
6.0
remediation
7.7
relevance
9.7
threat
4.8
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.