CVE-2026-32108: Copyparty ftp/sftp: Sharing a single file did not fully restrict source-folder access

There was a missing permission-check in the shares feature (the shr global-option).

This vulnerability only applies in the following scenario:

• The shares feature is used for the specific purpose of creating a share of just a single file inside a folder
• Either the FTP or SFTP server is enabled, and also made publically accessible
• If a share is password-protected, then SFTP was not vulnerable unless the sftp-pw global-option was also enabled

Given these conditions, when a user is browsing a share through either FTP or SFTP (not http or https), they can gain read-access to the remaining files inside the shared folder by guessing/bruteforcing the filenames.

It was not possible to descend into subdirectories in this manner; only the sibling files were accessible.

This issue did not affect filekeys or dirkeys.

This vulnerability is CVE-2025-58753 which was previously fixed for HTTP and HTTPS, but not for FTP. The FTPS server did not yet exist at that time.