How is CVE-2026-50891 exploited?

Network reachability (required): The vulnerable /admin/api/config endpoint is exposed over the network, so an attacker must be able to reach the service via HTTP/HTTPS to exploit it. Authentication (required): A valid account is required to send requests, but any low-privilege account is sufficient; no administrator credentials are needed. Victim interaction (not-required): The attacker sends a crafted request directly to the endpoint; no action from another user is needed to trigger the vulnerability. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, memory layout dependencies, or other environmental factors need to align.

What is the impact of CVE-2026-50891?

A successful attacker reads the full application configuration via the admin API, which may expose credentials, storage backend secrets, and integration tokens stored in that configuration. The attacker can write arbitrary configuration values, allowing them to redirect storage backends, disable authentication requirements, or alter access control rules across the Filestash instance. Privilege escalation to effective administrative control means any data managed through the Filestash instance is accessible and modifiable by the attacker.

Back to search

HIGHCVE-2026-50891Published 2026-06-15Modified 2026-06-16CNA mitre

CVE-2026-50891: Incorrect access control in the /admin/api/config component of Filestash v0

Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a crafted request.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An incorrect access control vulnerability in the /admin/api/config endpoint of Filestash v0.4.0 allows an authenticated attacker to escalate their privileges by sending a crafted HTTP request to the admin API. The vulnerability is reachable over the network and requires only a low-privilege account, meaning no admin credentials are needed to begin the attack. Successful exploitation gives the attacker both read and write access to application configuration, effectively granting administrative control. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-50891 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle Filestash v0.4.0, in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.1 (HIGH) and weighting it against each environment's compliance policy to determine urgency; findings are then routable to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published for this CVE, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable /admin/api/config endpoint is exposed over the network, so an attacker must be able to reach the service via HTTP/HTTPS to exploit it.
AuthenticationRequired
A valid account is required to send requests, but any low-privilege account is sufficient; no administrator credentials are needed.
Victim interactionNot required
The attacker sends a crafted request directly to the endpoint; no action from another user is needed to trigger the vulnerability.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, memory layout dependencies, or other environmental factors need to align.

Blast Radius

A successful attacker reads the full application configuration via the admin API, which may expose credentials, storage backend secrets, and integration tokens stored in that configuration.
The attacker can write arbitrary configuration values, allowing them to redirect storage backends, disable authentication requirements, or alter access control rules across the Filestash instance.
Privilege escalation to effective administrative control means any data managed through the Filestash instance is accessible and modifiable by the attacker.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-50891 is matched against all images in connected registries and pipelines, including custom-built images containing Filestash v0.4.0. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment the Filestash project publishes a corrected release. For customers with auto-remediation enabled, that rebuild will be paired with a regression test run and a PR opened against affected workloads without manual intervention. In the interim, compensating controls worth considering include network policy rules that restrict access to the /admin/api/config route to known trusted source IPs, egress filtering to limit what a compromised Filestash instance can reach, and disabling or gating the admin API endpoint at the ingress layer if direct admin API access is not required for normal operations.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References

gist.github.com

Metrics

Get notified