Skip to content
Threat Feed
high advisory

CVE-2026-45229: Quark Drive Mass Assignment Vulnerability Allows Credential Overwrite

Quark Drive before version 0.8.5 is vulnerable to a mass assignment vulnerability (CVE-2026-45229) in the POST /update endpoint, where authenticated attackers can overwrite administrator credentials, gaining persistent access to configured tasks, cloud tokens, and notification services.

Quark Drive before version 0.8.5 is susceptible to a mass assignment vulnerability identified as CVE-2026-45229. This flaw resides in the POST /update endpoint. An authenticated attacker can exploit this vulnerability to overwrite administrator credentials by sending a crafted webui object to the config_data dictionary. The insufficient deny-list filtering allows the attacker to permanently replace stored login credentials, effectively locking out legitimate administrators. Successful exploitation grants persistent access to all configured tasks, cloud tokens, and notification services managed by the Quark Drive instance. This vulnerability poses a significant risk to data confidentiality and system availability.

Attack Chain

  1. Attacker authenticates to Quark Drive using valid user credentials.
  2. Attacker crafts a malicious HTTP POST request targeting the /update endpoint.
  3. The POST request includes a config_data dictionary containing a webui object.
  4. The webui object is designed to overwrite existing administrator credentials.
  5. The server-side deny-list filtering fails to properly sanitize the input, allowing the malicious webui object to be processed.
  6. The administrator’s credentials stored within the Quark Drive configuration are replaced with attacker-controlled values.
  7. The legitimate administrator is locked out of the system due to the credential change.
  8. The attacker gains persistent access to all configured tasks, cloud tokens, and notification services, allowing for unauthorized data access and control.

Impact

Successful exploitation of CVE-2026-45229 allows an attacker to overwrite administrator credentials, leading to a complete lockout of legitimate administrators. This grants the attacker persistent and unauthorized control over all Quark Drive functions, including tasks, cloud tokens, and notification services. The attacker can then access sensitive data, modify configurations, and disrupt services, potentially leading to significant financial and reputational damage.

Recommendation

  • Upgrade Quark Drive instances to version 0.8.5 or later to remediate CVE-2026-45229.
  • Deploy the Sigma rule Detect Quark Drive Mass Assignment Attempt to identify suspicious POST requests to the /update endpoint.
  • Monitor web server logs for unusual POST requests to the /update endpoint that include a config_data dictionary with webui objects.

Detection coverage 1

Detect Quark Drive Mass Assignment Attempt

high

Detects CVE-2026-45229 exploitation — HTTP POST request to /update with suspicious webui object in config_data indicating a mass assignment attempt to overwrite administrator credentials.

sigma tactics: persistence, privilege_escalation sources: webserver

Detection queries are available on the platform. Get full rules →