IDOR in Parcelhive File-Sharing Endpoint Exposes Private Documents
- CVE ID
- N/A
- CVSS Score
- 7.5
- Affected Products
- Parcelhive Web App (all plans, pre-2025.11 release)
Overview
Parcelhive’s “share this file” feature generated share links using a sequential, base62-encoded integer rather than a cryptographically random identifier. An authenticated user on any tenant could enumerate nearby IDs and access documents belonging to other, unrelated organizations.
Impact
Any authenticated Parcelhive user could view, and in some cases download, private files belonging to other tenants simply by incrementing a value in the share URL — no additional authorization check was performed beyond confirming the requester held some valid session.
Affected Products
- Parcelhive Web App, all releases prior to the 2025.11 patch cycle
Technical Details
Share links followed the pattern /share/{id}, where {id} was a base62
encoding of an auto-incrementing database primary key. The share-retrieval
endpoint verified that a session cookie was present and valid, but did not
verify that the requesting user’s tenant matched the tenant that owned the
requested file. Sequential IDs made enumeration of the full range of existing
share links trivial from a single low-privilege account.
Remediation
Parcelhive’s 2025.11 release replaced sequential share IDs with 128-bit random tokens and added an explicit tenant-ownership check on the retrieval endpoint, closing both the enumeration vector and the underlying missing authorization check. Customers on the current release are not affected; no customer action is required.
Disclosure Timeline
- 2025-10-14 — Issue identified and reported to Parcelhive’s security team
- 2025-10-16 — Vendor acknowledged and began remediation
- 2025-11-04 — Fix deployed to all environments
- 2025-11-20 — Public advisory published following vendor sign-off
Found something similar in your stack?
Let's find out before it becomes an incident.
Book an advisory call