CVE-2026-32108 Overview
CVE-2026-32108 is an authorization bypass vulnerability in Copyparty, a portable file server application. Prior to version 1.20.12, a missing permission check in the shares feature (the shr global-option) allows authenticated users to gain unauthorized read access to files within shared folders when accessing via FTP or SFTP protocols.
Critical Impact
Authenticated attackers can bypass share restrictions to access sibling files within shared directories by guessing or brute-forcing filenames when using FTP/SFTP access.
Affected Products
- Copyparty versions prior to 1.20.12
- Copyparty installations with FTP or SFTP server enabled and publicly accessible
- Copyparty shares configured for single-file sharing within folders
Discovery Timeline
- 2026-03-11 - CVE-2026-32108 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-32108
Vulnerability Analysis
This vulnerability represents an incomplete fix for a previously addressed issue (CVE-2025-58753). While the earlier vulnerability was patched for HTTP and HTTPS protocols, the same authorization bypass remained exploitable through FTP and SFTP connections. The FTPS server did not exist at the time of the original fix, which contributed to this oversight.
The vulnerability specifically affects the shares feature when configured to share a single file within a folder. Under these conditions, an authenticated user accessing the share via FTP or SFTP can bypass the intended access restrictions and read other files located in the same directory. However, the vulnerability does not allow directory traversal into subdirectories—only sibling files at the same directory level are accessible.
This is classified under CWE-863 (Incorrect Authorization), indicating that the application fails to properly verify that a user is authorized to access particular resources before providing access.
Root Cause
The root cause is a missing permission check in the shares feature when accessed through FTP or SFTP protocols. When a user connects via these protocols and accesses a shared file, the application does not properly validate whether the user should have access to other files within the same parent directory. This allows users to enumerate and access files beyond the scope of the original share by guessing or brute-forcing filenames.
Attack Vector
The attack requires network access to a vulnerable Copyparty instance with the following conditions met:
- The shares feature (shr global-option) must be enabled
- A share must be configured for a single file within a folder
- Either the FTP or SFTP server must be enabled and publicly accessible
- The attacker must have authenticated access to the FTP/SFTP service
Once these conditions are met, an attacker can connect via FTP or SFTP and attempt to access sibling files within the shared directory by guessing filenames. Successful guesses would return file contents that should not be accessible under the share's intended permissions.
For technical details on the vulnerability mechanism, see the GitHub Security Advisory.
Detection Methods for CVE-2026-32108
Indicators of Compromise
- Unusual FTP/SFTP authentication patterns with repeated file access attempts
- Multiple failed file access requests followed by successful retrievals of non-shared files
- Anomalous file enumeration activity through FTP/SFTP logs showing sequential filename guessing patterns
Detection Strategies
- Monitor FTP/SFTP server logs for repeated file access attempts from the same authenticated user
- Implement alerting on access patterns that suggest filename brute-forcing or enumeration
- Review access logs for successful file retrievals outside of configured share boundaries
Monitoring Recommendations
- Enable verbose logging on FTP/SFTP services to capture all file access attempts
- Implement rate limiting on file access requests to slow down brute-force attempts
- Set up alerts for unusual access patterns indicating potential exploitation attempts
How to Mitigate CVE-2026-32108
Immediate Actions Required
- Upgrade Copyparty to version 1.20.12 or later immediately
- Temporarily disable FTP/SFTP server access if upgrade cannot be performed immediately
- Review and audit existing share configurations to identify potentially exposed single-file shares
Patch Information
The vulnerability is fixed in Copyparty version 1.20.12. Users should upgrade to this version or later to remediate the vulnerability. The fix implements proper permission checks for FTP and SFTP access to ensure shares respect their configured boundaries.
For more information, refer to the GitHub Security Advisory for GHSA-67rw-2x62-mqqm.
Workarounds
- Disable FTP and SFTP server features if they are not required for operations
- Restrict network access to FTP/SFTP services using firewall rules to limit exposure
- Avoid creating single-file shares within directories containing other sensitive files
- Implement additional authentication requirements for FTP/SFTP access
# Configuration example
# If using Copyparty, upgrade to patched version
pip install --upgrade copyparty>=1.20.12
# Alternatively, disable FTP/SFTP in configuration if not needed
# Remove or comment out FTP/SFTP server options in your Copyparty configuration
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
