Overview
CVE-2026-45695 is a critical authentication bypass vulnerability (CVSS 9.8) in Kopia, a popular open-source cross-platform backup tool for Windows, macOS, and Linux. When Kopia's built-in HTTP server is started with the --without-password flag, the API endpoint /api/v1/repo/exists — and potentially other endpoints — accepts unauthenticated HTTP requests from any client that can reach the server.
This allows any unauthenticated attacker with network access to the Kopia HTTP server to query or interact with backup repositories without providing credentials. The vulnerability is fixed in Kopia v0.23.0.
Technical Details
Vulnerable Component
Kopia ships with an integrated HTTP server that exposes a REST API for managing backup repositories. The server supports a --without-password mode intended for trusted environments (e.g., local desktop use). However, versions prior to 0.23.0 fail to enforce authentication on certain API endpoints when this mode is active:
/api/v1/repo/existsis confirmed to accept unauthenticated requests- The server binds to an accessible interface, making it reachable beyond localhost in some deployment configurations
Because Kopia stores encrypted backups and manages repository credentials, unauthorized access to its API could allow an attacker to:
- Enumerate repositories and their metadata
- Determine whether specific repositories exist (information disclosure)
- Potentially issue further API calls to read, corrupt, or delete backup data depending on the endpoint scope
Attack Vector
| Attribute | Value |
|---|---|
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network |
| Authentication Required | None |
| Privileges Required | None |
| User Interaction | None |
| Impact | Unauthorized repository access |
Who Is at Risk
- Users running
kopia server start --without-passwordwith the server bound to a non-loopback interface - Systems where Kopia is deployed as a background service accessible over LAN or internet
- Docker/NAS/homelab setups where Kopia's HTTP port is exposed without an additional authentication layer
Users running Kopia in strictly local (loopback-only) configurations with a password set are at significantly lower risk, though upgrading remains strongly recommended.
Affected Versions
| Component | Affected | Fixed |
|---|---|---|
| Kopia (all platforms) | < 0.23.0 | 0.23.0+ |
Remediation
- Upgrade to Kopia v0.23.0 or later — this is the primary fix
- Do not start the Kopia HTTP server with
--without-passwordin any environment where the server is network-accessible from untrusted hosts - Bind the server to loopback (
--address=127.0.0.1) if password-free local access is required - Firewall the Kopia HTTP port at the network level as a compensating control on older versions
- Review Kopia server logs for unexpected API calls to
/api/v1/repo/existsor similar endpoints
Why This Matters
Backup software is a high-value target for attackers. Compromising a backup system can allow adversaries to:
- Destroy backups before launching ransomware — eliminating recovery options
- Exfiltrate sensitive data stored in backup archives
- Gain lateral movement via credentials or configuration data found in backup sets
Kopia is a growing alternative to Restic and Duplicati, with a strong presence in homelab, NAS, and self-hosted cloud backup scenarios. The --without-password mode is commonly used in these environments, making this vulnerability particularly impactful for the community of users most likely to have network-accessible Kopia instances.
Recommendations
- Upgrade immediately to Kopia v0.23.0 or the latest available release
- Audit existing Kopia server deployments for the
--without-passwordflag in service definitions, startup scripts, Docker Compose files, and systemd units - Check for signs of unauthorized access in Kopia API logs, particularly calls to
/api/v1/repo/existsfrom unexpected source IPs - Adopt defense-in-depth for all backup services — run behind a VPN or authenticated reverse proxy rather than exposing the API directly