Executive Summary
A high-severity authentication bypass vulnerability (CVE-2026-6569) has been identified in KodExplorer (kodcloud), a widely deployed self-hosted web-based file manager and collaborative cloud platform. The flaw affects all releases through version 4.52 and carries a CVSS score of 7.3.
The vulnerability resides in the fileGet function within /app/controller/share.class.php, where manipulation of the fileUrl argument bypasses authentication controls entirely. An unauthenticated remote attacker can exploit this to read arbitrary files accessible by the KodExplorer process — including configuration files, credentials, and user data.
Organizations running KodExplorer 4.52 or earlier should upgrade immediately or restrict public access to the share endpoint pending a vendor patch.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-6569 |
| CVSS Score | 7.3 (High) |
| CWE | CWE-287 — Improper Authentication |
| Type | Authentication Bypass / Unauthorized File Read |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Affected Endpoint | /app/controller/share.class.php — fileGet |
| Patch Available | Not confirmed — upgrade to latest release |
Affected Versions
| Product | Affected Versions | Status |
|---|---|---|
| KodExplorer (kodcloud) | All releases <= 4.52 | Vulnerable |
| KodExplorer (kodcloud) | Post-4.52 releases | Verify with vendor |
Technical Analysis
Root Cause
KodExplorer's fileGet endpoint under the share controller is designed to serve file content to authenticated users with valid share links. The vulnerability is a failure to properly validate authentication state before processing the fileUrl parameter.
An attacker can craft a direct HTTP request to the endpoint with a manipulated fileUrl value — bypassing the expected authentication check — and receive the contents of the targeted file in the server response.
Attack Scenario
1. Attacker identifies a KodExplorer instance exposed to the network
2. Attacker crafts a GET or POST request directly to:
/app/controller/share.class.php
with fileUrl pointing to a target file path
3. Server processes fileGet without validating authentication session
4. File contents returned to unauthenticated attacker
5. Attacker may pivot using exposed config files or credentialsExploitation Conditions
- KodExplorer 4.52 or earlier must be installed
- The share feature / fileGet endpoint must be network-accessible
- No authentication or special privileges required by the attacker
- Works from any network with HTTP(S) access to the target
Impact Assessment
| Impact Area | Description |
|---|---|
| Unauthorized File Read | Attacker can retrieve arbitrary files via fileUrl manipulation |
| Credential Exposure | Config files containing database passwords or API keys may be readable |
| User Data Disclosure | User files stored in KodExplorer may be accessible |
| Pivot Potential | Leaked credentials can be used to compromise backend databases or services |
| Confidentiality Breach | Any document stored in the cloud file manager is at risk |
Immediate Remediation
Step 1: Upgrade KodExplorer
Update to the latest available release from the official repository:
# Check your current installed version
cat /path/to/kodexplorer/config/version.php
# Download and apply the latest release from the vendor
# https://github.com/kalcaddle/KodExplorerStep 2: Restrict Network Access
If an immediate upgrade is not possible, restrict access to the fileGet endpoint via your web server or firewall:
Nginx — block the share controller:
location ~* /app/controller/share\.class\.php {
deny all;
return 403;
}Apache — block via .htaccess:
<FilesMatch "share\.class\.php">
Order allow,deny
Deny from all
</FilesMatch>Step 3: Audit for Prior Exploitation
# Review web server access logs for requests to the vulnerable endpoint
grep -i "share.class.php" /var/log/nginx/access.log | grep "fileGet"
grep -i "share.class.php" /var/log/apache2/access.log | grep "fileGet"
# Look for abnormal fileUrl parameter values indicating path traversal attempts
grep "fileUrl" /var/log/nginx/access.log | grep -E "\.\./|%2e%2e"Step 4: Rotate Exposed Credentials
If exploitation is suspected or config files were accessible:
# Identify KodExplorer database configuration
cat /path/to/kodexplorer/config/setting_user.php | grep -i "db\|pass\|key"
# Rotate any credentials or API keys found in configuration files
# Update database passwords, regenerate application secretsDetection Indicators
| Indicator | Description |
|---|---|
Requests to /app/controller/share.class.php without session cookies | Unauthenticated fileGet access attempt |
fileUrl parameters containing ../ or encoded traversal sequences | Path traversal exploitation attempt |
| Unexpected file reads from web process in OS-level audit logs | Active exploitation on the host |
| Unusual outbound HTTP requests following web requests | Data exfiltration after file read |
Post-Remediation Checklist
- Upgrade KodExplorer to the latest available version
- Block access to the share controller at the web server level if upgrading is delayed
- Review access logs for requests targeting the fileGet endpoint
- Rotate all credentials stored in KodExplorer configuration files
- Notify users if their personal files may have been accessed
- Enable application-layer authentication (SSO, reverse-proxy auth) in front of KodExplorer
- Restrict KodExplorer to internal networks only — avoid public internet exposure
- Monitor for follow-on attacks using credentials that may have been leaked