CVE-2026-45229 Overview
CVE-2026-45229 is a mass assignment vulnerability [CWE-915] in Quark Drive (quark-auto-save) versions prior to 0.8.5. The flaw resides in the POST /update endpoint, which iterates over user-supplied JSON keys and writes them into the config_data dictionary using a deny-list filter. Authenticated attackers can submit an arbitrary webui object to overwrite stored administrator credentials, lock out legitimate operators, and gain persistent control over configured tasks, cloud tokens, and notification services.
Critical Impact
Authenticated attackers can permanently replace administrator credentials and seize persistent control of all stored cloud tokens, scheduled tasks, and push notification integrations.
Affected Products
- quark-auto-save (Quark Drive) versions prior to 0.8.5
- The vulnerable POST /update handler in app/run.py
- Deployments exposing the Quark Drive web UI to authenticated users
Discovery Timeline
- 2026-05-13 - CVE-2026-45229 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-45229
Vulnerability Analysis
The vulnerability stems from insecure handling of dynamic configuration updates in the Quark Drive web interface. The POST /update route loops through every key in the incoming JSON body and merges it directly into the in-memory config_data dictionary. The route relies on a small deny-list (dont_save_keys = ["task_plugins_config_default", "api_token"]) to block sensitive fields, but it does not restrict other security-relevant keys such as webui, which stores administrator login credentials.
Because config_data is then serialized to disk via Config.write_json(CONFIG_PATH, config_data), attacker-supplied values persist across restarts. Any authenticated user can therefore overwrite the administrator username and password, replace push configuration secrets, or modify cron schedules.
Root Cause
The root cause is a deny-list rather than an allow-list approach to mass assignment [CWE-915]. The original code blocks only two keys, leaving every other configuration field, including the webui credential block, writable by any authenticated caller. This violates the principle of least privilege for configuration mutation.
Attack Vector
An authenticated attacker sends a crafted POST /update request containing a webui object with new username and password fields. The server merges the object into config_data and writes it to the configuration file. On the next login, only the attacker's credentials are valid. The same primitive can be used to inject malicious push_config endpoints or alter tasklist entries to exfiltrate synced files.
global config_data
if not is_login():
return jsonify({"success": False, "message": "未登录"})
- dont_save_keys = ["task_plugins_config_default", "api_token"]
+ # 使用允许列表防止批量赋值攻击
+ allowed_keys = ["cookie", "crontab", "push_config", "tasklist",
+ "magic_regex", "plugins", "source"]
for key, value in request.json.items():
- if key not in dont_save_keys:
+ if key in allowed_keys:
config_data.update({key: value})
Config.write_json(CONFIG_PATH, config_data)
# 重新加载任务
Source: GitHub Commit ea8377a. The patch replaces the deny-list with an explicit allow-list of seven safe keys, ensuring that webui and other privileged fields cannot be modified through /update.
Detection Methods for CVE-2026-45229
Indicators of Compromise
- Unexpected modifications to the webui block (username or password hash changes) inside the persisted Quark Drive config file.
- HTTP POST /update requests whose JSON body contains a webui, api_token, or task_plugins_config_default key.
- Sudden lockout of legitimate administrators followed by successful logins from new source IP addresses.
Detection Strategies
- Inspect reverse-proxy and application logs for POST /update requests and alert when the body contains keys outside the documented allow-list (cookie, crontab, push_config, tasklist, magic_regex, plugins, source).
- Monitor the Quark Drive configuration file for unauthorized writes using file integrity monitoring focused on the webui and push_config sections.
- Correlate failed administrator logins with subsequent successful logins from previously unseen user agents or IPs.
Monitoring Recommendations
- Forward Quark Drive application logs and host audit events to a centralized SIEM and retain them for at least 90 days.
- Track outbound traffic to push notification endpoints; new or unexpected webhook destinations may indicate push_config tampering.
- Alert on process restarts of quark-auto-save immediately following an authenticated POST /update call.
How to Mitigate CVE-2026-45229
Immediate Actions Required
- Upgrade quark-auto-save to version 0.8.5 or later, which enforces the allow-list fix from commit ea8377a.
- Rotate the administrator password, cloud cookies, and any api_token values stored in the configuration after upgrading.
- Audit the configuration file for unauthorized changes to webui, push_config, and tasklist entries.
Patch Information
The fix shipped in Quark Auto Save v0.8.5 and is implemented in commit ea8377a. Additional advisory information is available from the VulnCheck Security Advisory.
Workarounds
- Restrict network access to the Quark Drive web UI using a reverse proxy or firewall allow-list until the upgrade is applied.
- Place a WAF rule in front of /update that rejects requests containing a webui key in the JSON body.
- Disable shared or low-privilege accounts on the Quark Drive instance to reduce the population of users who can reach the authenticated endpoint.
# Example nginx rule blocking POST /update bodies that reference the webui key
location = /update {
if ($request_method = POST) {
access_by_lua_block {
ngx.req.read_body()
local body = ngx.req.get_body_data() or ""
if body:find('"webui"', 1, true) then
return ngx.exit(403)
end
}
}
proxy_pass http://quark_auto_save_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
