{"id":"PYSEC-2026-31","details":"Copyparty is a portable file server. Prior to 1.20.12, there was a missing permission-check in the shares feature (the shr global-option). This vulnerability only applies when the shares feature is used for the specific purpose of creating a share of just a single file inside a folder or either the FTP or SFTP server is enabled, and also made publicly accessible. Given these conditions, when a user is browsing a share through either FTP or SFTP (not http or https), they can gain read-access to the remaining files inside the shared folder by guessing/bruteforcing the filenames. It was not possible to descend into subdirectories in this manner; only the sibling files were accessible. This vulnerability is similar to CVE-2025-58753 which was previously fixed for HTTP and HTTPS, but not for FTP. The FTPS server did not yet exist at that time. This vulnerability is fixed in 1.20.12.","aliases":["CVE-2026-32108","GHSA-67rw-2x62-mqqm"],"modified":"2026-05-20T09:18:55.420886Z","published":"2026-03-11T21:16:16.760Z","references":[{"type":"ADVISORY","url":"https://github.com/9001/copyparty/security/advisories/GHSA-67rw-2x62-mqqm"}],"affected":[{"package":{"name":"copyparty","ecosystem":"PyPI","purl":"pkg:pypi/copyparty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.20.12"}]}],"versions":["0.10.0","0.10.1","0.10.10","0.10.11","0.10.12","0.10.13","0.10.14","0.10.15","0.10.16","0.10.17","0.10.18","0.10.19","0.10.2","0.10.20","0.10.21","0.10.22","0.10.3","0.10.4","0.10.5","0.10.6","0.10.7","0.10.8","0.10.9","0.11.0","0.11.1","0.11.10","0.11.11","0.11.12","0.11.13","0.11.14","0.11.15","0.11.16","0.11.17","0.11.18","0.11.19","0.11.20","0.11.21","0.11.22","0.11.23","0.11.24","0.11.26","0.11.27","0.11.28","0.11.29","0.11.30","0.11.31","0.11.32","0.11.33","0.11.34","0.11.35","0.11.36","0.11.37","0.11.38","0.11.39","0.11.40","0.11.41","0.11.42","0.11.43","0.11.44","0.11.45","0.11.46","0.11.47","0.11.5","0.11.6","0.11.7","0.11.8","0.11.9","0.12.1","0.12.10","0.12.11","0.12.12","0.12.3","0.12.4","0.12.5","0.12.6","0.12.7","0.12.8","0.12.9","0.13.0","0.13.1","0.13.10","0.13.11","0.13.12","0.13.13","0.13.14","0.13.2","0.13.3","0.13.5","0.13.6","0.13.7","0.13.9","0.2.3","0.3.0","0.3.1","0.4.0","0.4.1","0.4.2","0.4.3","0.5.0","0.5.1","0.5.2","0.5.3","0.5.4","0.5.5","0.5.6","0.5.7","0.6.0","0.6.2","0.6.3","0.7.0","0.7.1","0.7.2","0.7.3","0.7.4","0.7.5","0.7.6","0.7.7","0.8.1","0.8.3","0.9.0","0.9.1","0.9.10","0.9.11","0.9.13","0.9.3","0.9.4","0.9.5","0.9.6","0.9.7","0.9.8","0.9.9","1.0.0","1.0.1","1.0.10","1.0.11","1.0.12","1.0.13","1.0.14","1.0.2","1.0.3","1.0.4","1.0.5","1.0.7","1.0.8","1.0.9","1.1.0","1.1.1","1.1.10","1.1.11","1.1.12","1.1.2","1.1.3","1.1.4","1.1.5","1.1.6","1.1.7","1.1.8","1.1.9","1.10.0","1.10.1","1.10.2","1.11.0","1.11.1","1.11.2","1.12.0","1.12.1","1.12.2","1.13.0","1.13.1","1.13.2","1.13.3","1.13.4","1.13.5","1.13.6","1.13.7","1.13.8","1.14.0","1.14.1","1.14.2","1.14.3","1.14.4","1.15.0","1.15.1","1.15.10","1.15.2","1.15.3","1.15.4","1.15.5","1.15.6","1.15.7","1.15.8","1.15.9","1.16.0","1.16.1","1.16.10","1.16.11","1.16.12","1.16.13","1.16.14","1.16.15","1.16.16","1.16.17","1.16.18","1.16.19","1.16.2","1.16.20","1.16.21","1.16.3","1.16.4","1.16.5","1.16.6","1.16.7","1.16.8","1.16.9","1.17.0","1.17.1","1.17.2","1.18.0","1.18.1","1.18.10","1.18.2","1.18.3","1.18.4","1.18.5","1.18.6","1.18.7","1.18.8","1.18.9","1.19.0","1.19.1","1.19.10","1.19.11","1.19.12","1.19.13","1.19.14","1.19.15","1.19.16","1.19.17","1.19.18","1.19.19","1.19.2","1.19.20","1.19.21","1.19.22","1.19.23","1.19.3","1.19.4","1.19.5","1.19.6","1.19.7","1.19.8","1.19.9","1.2.0","1.2.1","1.2.10","1.2.11","1.2.2","1.2.3","1.2.4","1.2.5","1.2.6","1.2.7","1.2.8","1.2.9","1.20.0","1.20.1","1.20.10","1.20.11","1.20.2","1.20.3","1.20.4","1.20.5","1.20.6","1.20.7","1.20.8","1.20.9","1.3.0","1.3.1","1.3.10","1.3.11","1.3.12","1.3.13","1.3.14","1.3.15","1.3.16","1.3.2","1.3.3","1.3.4","1.3.5","1.3.6","1.3.7","1.3.8","1.3.9","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.5.0","1.5.1","1.5.2","1.5.3","1.5.4","1.5.5","1.5.6","1.6.0","1.6.1","1.6.10","1.6.11","1.6.12","1.6.13","1.6.14","1.6.15","1.6.2","1.6.3","1.6.4","1.6.5","1.6.6","1.6.7","1.6.8","1.6.9","1.7.0","1.7.1","1.7.2","1.7.3","1.7.4","1.7.5","1.7.6","1.8.0","1.8.1","1.8.2","1.8.3","1.8.4","1.8.6","1.8.7","1.8.8","1.9.0","1.9.1","1.9.10","1.9.11","1.9.12","1.9.13","1.9.14","1.9.15","1.9.16","1.9.17","1.9.18","1.9.19","1.9.2","1.9.20","1.9.21","1.9.24","1.9.25","1.9.26","1.9.27","1.9.28","1.9.29","1.9.3","1.9.30","1.9.31","1.9.4","1.9.5","1.9.6","1.9.7","1.9.8","1.9.9"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/copyparty/PYSEC-2026-31.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}