CVE-2026-54560
CVE-2026-54560 affects Cloudreve prior to version 4.16.1, where OAuth access tokens could be issued without the OAuth client_id claim. The missing client_id causes the JWT verifier to not load token scopes into the request context, making RequiredScopes treat the request as unscoped session authe...