CVE-2026-25726

Name of the Vulnerable Software and Affected Versions Cloudreve versions prior to 4.13.0

Description Cloudreve is a self-hosted file management and sharing system. Versions prior to 4.13.0 use a weak pseudo-random number generator (math/rand) seeded with time to generate critical security secrets, including the secret key and hash id salt. An attacker can obtain the administrator's account creation time via public API endpoints to narrow the search window for the PRNG seed and use known hashid to validate the seed. By brute-forcing the seed (demonstrated to take less than 3 hours on a general consumer PC), an attacker can predict the secret key. This allows them to forge valid JSON Web Tokens (JWTs) for any user, including administrators, leading to full account takeover and privilege escalation. Servers running version 4.10.0 and later are still vulnerable if they were originally installed using an older version, as the weak secrets persist in the configuration.

Recommendations Upgrade to version 4.13.0 to invalidate the existing secret key and regenerate a new, cryptographically secure secret key using crypto/rand. If an immediate upgrade is not possible, stop the Cloudreve service, locate the secret key setting in the Cloudreve database, replace the value with a long, random string (e.g., generated via openssl rand -base64 64), and restart the Cloudreve service. Note that this will log out all currently active users.