Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1933+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-45695: Kopia Backup Tool Exposes Unauthenticated HTTP API
CVE-2026-45695: Kopia Backup Tool Exposes Unauthenticated HTTP API

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-45695

CVE-2026-45695: Kopia Backup Tool Exposes Unauthenticated HTTP API

A critical authentication bypass in Kopia, a cross-platform backup tool for Windows, macOS, and Linux, allows unauthenticated access to repository API endpoints when the server is started with the --without-password flag. Fixed in Kopia v0.23.0.

Dylan H.

Security Team

July 17, 2026
4 min read

Affected Products

  • Kopia < 0.23.0 (Windows, macOS, Linux)

Overview

CVE-2026-45695 is a critical authentication bypass vulnerability (CVSS 9.8) in Kopia, a popular open-source cross-platform backup tool for Windows, macOS, and Linux. When Kopia's built-in HTTP server is started with the --without-password flag, the API endpoint /api/v1/repo/exists — and potentially other endpoints — accepts unauthenticated HTTP requests from any client that can reach the server.

This allows any unauthenticated attacker with network access to the Kopia HTTP server to query or interact with backup repositories without providing credentials. The vulnerability is fixed in Kopia v0.23.0.

Technical Details

Vulnerable Component

Kopia ships with an integrated HTTP server that exposes a REST API for managing backup repositories. The server supports a --without-password mode intended for trusted environments (e.g., local desktop use). However, versions prior to 0.23.0 fail to enforce authentication on certain API endpoints when this mode is active:

  • /api/v1/repo/exists is confirmed to accept unauthenticated requests
  • The server binds to an accessible interface, making it reachable beyond localhost in some deployment configurations

Because Kopia stores encrypted backups and manages repository credentials, unauthorized access to its API could allow an attacker to:

  • Enumerate repositories and their metadata
  • Determine whether specific repositories exist (information disclosure)
  • Potentially issue further API calls to read, corrupt, or delete backup data depending on the endpoint scope

Attack Vector

AttributeValue
CVSS Score9.8 (Critical)
Attack VectorNetwork
Authentication RequiredNone
Privileges RequiredNone
User InteractionNone
ImpactUnauthorized repository access

Who Is at Risk

  • Users running kopia server start --without-password with the server bound to a non-loopback interface
  • Systems where Kopia is deployed as a background service accessible over LAN or internet
  • Docker/NAS/homelab setups where Kopia's HTTP port is exposed without an additional authentication layer

Users running Kopia in strictly local (loopback-only) configurations with a password set are at significantly lower risk, though upgrading remains strongly recommended.

Affected Versions

ComponentAffectedFixed
Kopia (all platforms)< 0.23.00.23.0+

Remediation

  1. Upgrade to Kopia v0.23.0 or later — this is the primary fix
  2. Do not start the Kopia HTTP server with --without-password in any environment where the server is network-accessible from untrusted hosts
  3. Bind the server to loopback (--address=127.0.0.1) if password-free local access is required
  4. Firewall the Kopia HTTP port at the network level as a compensating control on older versions
  5. Review Kopia server logs for unexpected API calls to /api/v1/repo/exists or similar endpoints

Why This Matters

Backup software is a high-value target for attackers. Compromising a backup system can allow adversaries to:

  • Destroy backups before launching ransomware — eliminating recovery options
  • Exfiltrate sensitive data stored in backup archives
  • Gain lateral movement via credentials or configuration data found in backup sets

Kopia is a growing alternative to Restic and Duplicati, with a strong presence in homelab, NAS, and self-hosted cloud backup scenarios. The --without-password mode is commonly used in these environments, making this vulnerability particularly impactful for the community of users most likely to have network-accessible Kopia instances.

Recommendations

  • Upgrade immediately to Kopia v0.23.0 or the latest available release
  • Audit existing Kopia server deployments for the --without-password flag in service definitions, startup scripts, Docker Compose files, and systemd units
  • Check for signs of unauthorized access in Kopia API logs, particularly calls to /api/v1/repo/exists from unexpected source IPs
  • Adopt defense-in-depth for all backup services — run behind a VPN or authenticated reverse proxy rather than exposing the API directly

References

  • NVD — CVE-2026-45695
  • Kopia GitHub
  • Kopia Releases
#CVE-2026-45695#Kopia#Authentication Bypass#Backup Software#API Security#Critical Vulnerability

Related Articles

CVE-2025-71327: Flowise Authentication Bypass Grants Full API Access

A critical authentication bypass in Flowise allows unauthenticated attackers to register accounts via an unprotected API endpoint and gain full platform...

5 min read

CVE-2026-42569: phpVMS Critical Unauthenticated Legacy

A critical vulnerability (CVSS 9.4) in phpVMS before version 7.0.6 allows unauthenticated attackers to access a legacy import feature, potentially...

5 min read

CVE-2026-14890: SGLang ZeroMQ Unauthenticated RCE via Pickle Deserialization

A critical unauthenticated remote code execution vulnerability in the SGLang AI inference framework allows attackers to deliver malicious pickle payloads through an exposed ZeroMQ PULL socket, achieving arbitrary code execution without credentials.

4 min read
Back to all Security Alerts