CVE-2026-32108
MEDIUM6.5EPSS 0.02%Copyparty ftp/sftp: Sharing a single file did not fully restrict source-folder access
Description
There was a missing permission-check in the shares feature (the `shr` global-option). This vulnerability only applies in the following scenario: * The [shares](https://github.com/9001/copyparty/#shares) feature is used for the specific purpose of creating a share of just a single file inside a folder * Either the FTP or SFTP server is enabled, and also made publically accessible * If a share is password-protected, then SFTP was not vulnerable unless the `sftp-pw` global-option was also enabled Given these conditions, when a user is browsing a share through either FTP or SFTP (not http or https), they can gain read-access to the remaining files inside the shared folder by guessing/bruteforcing the filenames. It was not possible to descend into subdirectories in this manner; only the sibling files were accessible. This issue did not affect filekeys or dirkeys. This vulnerability is [CVE-2025-58753](https://nvd.nist.gov/vuln/detail/CVE-2025-58753) which was previously fixed for HTTP and HTTPS, but not for FTP. The FTPS server did not yet exist at that time.
Affected packages (2)
- PyPI/copypartyfrom 0, < 1.20.12
- PyPI/copypartyfrom 0, < 1.20.12
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |