CVE-2026-56768
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk30th percentile — higher than 30% of all known CVEs
Summary
A vulnerability in Seahub before version 13.0.23 allows unauthenticated users to bypass the SHARE_LINK_LOGIN_REQUIRED enforcement via a GET request to /api/v2.1/share-link-zip-task/. Attackers with a folder share-link token can obtain a fileserver zip token and download entire shared directory trees.
Risk Assessment
The organization is at risk of unauthorized access and data leakage, as attackers can download entire shared directories without required authentication.
Recommendation
Immediately upgrade Seahub to version 13.0.23 or later, which includes a fix that enforces authentication for this endpoint.
Original NVD description (English source)
Seahub before 13.0.23 does not enforce SHARE_LINK_LOGIN_REQUIRED on GET /api/v2.1/share-link-zip-task/, allowing unauthenticated users to bypass authentication. Attackers with a folder share-link token can call the GET endpoint to obtain a fileserver zip token and download entire shared directory trees.

