CVE-2026-50891

Vulnerability

An incorrect access control vulnerability exists in the /admin/api/config component of Filestash v0.4.0 [1]. The AdminOnly middleware only enforces the admin cookie check when the configuration key auth.admin is non-empty. During the initial setup, auth.admin is unset, so the API endpoint proceeds without requiring an admin session [1]. This allows an attacker to read and modify the entire admin configuration, including setting a new administrator password hash [1].

Exploitation

An attacker must have network access to a reachable, uninitialized Filestash instance (where auth.admin is still empty) [1]. The exploit requires no prior authentication or user interaction. The attacker sends a GET request to /admin/api/config to retrieve the current configuration, then replaces the auth.admin value with a bcrypt hash of a chosen password, and sends a POST request to /admin/api/config with the modified JSON body [1]. The configuration is reloaded immediately, effectively setting the attacker's password [1].

Impact

Successful exploitation results in unauthenticated administrative takeover of the Filestash instance [1]. The attacker gains full control over global configuration, storage definitions, sharing behavior, and any secrets managed through the admin console [1]. This represents a complete compromise of the application's confidentiality, integrity, and availability.

Mitigation

As of the provided references, no official patch has been released for Filestash v0.4.0 [1]. Users running an uninitialized instance should ensure that the admin interface is not exposed to untrusted networks until the initial setup is completed by a legitimate administrator [1]. Alternatively, setting a dummy auth.admin value before exposing the instance may serve as a temporary workaround. Monitor for future updates from the vendor.