VYPR
← All advisories
High severity8.8NVD Advisory· Published May 13, 2026· Updated May 14, 2026

CVE-2026-45229

CVE-2026-45229

Description

Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by posting an arbitrary webui object to the config_data dictionary. Attackers can exploit insufficient deny-list filtering to permanently replace stored login credentials, lock out legitimate administrators, and gain persistent access to all configured tasks, cloud tokens, and notification services.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Quark Drive before 0.8.5 allows authenticated attackers to overwrite admin credentials via mass assignment in the POST /update endpoint, gaining persistent access.

Vulnerability

In Quark Drive versions prior to 0.8.5, the POST /update endpoint implements a deny-list approach that blocks only task_plugins_config_default and api_token keys from being overwritten [2]. This insufficient filtering permits authenticated attackers to submit an arbitrary webui object (containing username and password fields) within the config_data dictionary, thereby overwriting administrator credentials [1][3]. The affected code path is reachable by any authenticated user with a valid session [2].

Exploitation

An attacker needs a valid account on the Quark Drive instance and network access to the POST /update endpoint [3]. The attacker sends a crafted JSON payload that includes a webui object with new username and password values. Because the deny-list does not block the webui key, the server merges the entire payload into config_data and persists the changes, replacing the legitimate administrator credentials [2][3]. No further user interaction is required.

Impact

Successful exploitation permanently overwrites the stored login credentials for the Quark Drive web interface, locking out legitimate administrators [3]. The attacker gains persistent access with the same privileges as the original admin account, enabling full control over all configured tasks, cloud tokens, and notification services associated with the instance [3].

Mitigation

The vulnerability is fixed in version 0.8.5, which replaces the deny-list with an allow-list that only permits specific keys (cookie, crontab, push_config, tasklist, magic_regex, plugins, source) to be updated [1][2]. All users should upgrade to Quark Drive 0.8.5 or later. No known workarounds exist for earlier versions [3].

References
  1. Release v0.8.5 · Cp0204/quark-auto-save
  2. security(run.py): 防止批量赋值攻击 · Cp0204/quark-auto-save@ea8377a
  3. Quark Drive < 0.8.5 Mass Assignment via POST /update

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
ea8377a59644

security(run.py): 防止批量赋值攻击

https://github.com/Cp0204/quark-auto-saveCp0204Apr 17, 2026via nvd-ref
commit
1 file changed · +4 2
  • app/run.py+4 2 modified
    @@ -189,9 +189,11 @@ def update():
     global config_data
     if not is_login():
         return jsonify({"success": False, "message": "未登录"})
-    dont_save_keys = ["task_plugins_config_default", "api_token"]
+    # 使用允许列表防止批量赋值攻击
+    allowed_keys = ["cookie", "crontab", "push_config", "tasklist",
+                    "magic_regex", "plugins", "source"]
     for key, value in request.json.items():
-        if key not in dont_save_keys:
+        if key in allowed_keys:
             config_data.update({key: value})
     Config.write_json(CONFIG_PATH, config_data)
     # 重新加载任务

Vulnerability mechanics

Root cause

"The POST /update endpoint uses a deny-list (blacklist) that only blocks two keys, allowing attackers to overwrite any other config_data field—including administrator credentials—by posting arbitrary keys."

Attack vector

An authenticated attacker sends a POST request to the /update endpoint with a JSON body containing a key such as "webui" (or any key not in the original deny-list) mapped to a value that overwrites administrator credentials. The endpoint iterates over all keys in the request and updates config_data for any key that is not in the deny-list ["task_plugins_config_default", "api_token"]. Because the deny-list is extremely narrow, the attacker can permanently replace stored login credentials, lock out legitimate administrators, and gain persistent access to all configured tasks, cloud tokens, and notification services [CWE-915].

Affected code

The vulnerable code is in app/run.py within the update() function. The endpoint iterates over request.json items and updates config_data for any key not in the deny-list ["task_plugins_config_default", "api_token"], allowing arbitrary configuration fields to be overwritten [patch_id=424514].

What the fix does

The patch replaces the deny-list (dont_save_keys) with an allow-list (allowed_keys) containing only the fields that are safe to update: "cookie", "crontab", "push_config", "tasklist", "magic_regex", "plugins", and "source". The condition is flipped from "if key not in dont_save_keys" to "if key in allowed_keys", so any key not explicitly listed—including "webui" or any other credential-bearing field—is silently ignored. This closes the mass assignment vulnerability by ensuring only pre-approved configuration keys can be modified through the endpoint [patch_id=424514].

Preconditions

  • authAttacker must be authenticated (logged in) to the Quark Drive web interface.
  • networkAttacker must be able to send HTTP POST requests to the /update endpoint.

Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.