CVE-2026-11345

Vulnerability

An Improper Authentication vulnerability exists in the /api/Cdn/GetFile endpoint of linqi, affecting all versions prior to 1.4.8.6. The ValidateAnonFileAccess function incorrectly grants access if an AnonFile query parameter with exactly 256 characters is provided, bypassing intended authorization checks [1].

Exploitation

An unauthenticated, remote attacker can exploit this vulnerability by sending a request to the /api/Cdn/GetFile endpoint and including an AnonFile query parameter that contains precisely 256 characters. This specific parameter value triggers the flawed validation logic, allowing access to files that would otherwise be restricted [1].

Impact

Successful exploitation allows an attacker to bypass file access controls. However, the impact is negligible as the vulnerability only exposes minified JavaScript and CSS files. These files contain no sensitive data and are already publicly accessible through a standard CDN [1].

Mitigation

The vulnerability has been resolved in linqi version 1.4.8.6, released on June 5, 2026. The update corrects the authentication logic to properly validate access. Customers are recommended to update to version 1.4.8.6 or later [1].