Description
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue.
Published: 2026-02-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Download Leading to Confidentiality Breach
Action: Immediate Patch
AI Analysis

Impact

FileBrowser Quantum lets users share files with password protection, but the API mistakenly exposes a direct download URL in the share details. A recipient who merely has the share link can download the file without providing the password, effectively bypassing the intended authorization. This flaw allows an unauthenticated attacker to obtain confidential files and poses a risk of data leakage. The issue aligns with CWE‑200 (Information Exposure), CWE‑287 (Improper Authentication), and CWE‑288 (Improper Permission Assignment).

Affected Systems

The vulnerability affects gtsteffaniak's FileBrowser Quantum. Versions prior to 1.1.3‑stable on the stable branch and before 1.2.6‑beta on the beta branch are susceptible. The problem is resolved in those releases and all newer versions.

Risk and Exploitability

With a CVSS score of 7.1 the severity is high; however, the EPSS score is less than 1%, indicating a low likelihood of exploitation at present. The flaw is not listed in the CISA KEV catalog. The attack vector is inferred to be a web‑API IDOR that returns a direct download link to any user who possesses the share URL, requiring no additional authentication.

Generated by OpenCVE AI on April 17, 2026 at 15:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patched release of FileBrowser Quantum (1.1.3‑stable or later, or 1.2.6‑beta or later).
  • Revoke any share links created before the patch to remove exposed direct download URLs.
  • Adjust the share API to enforce password verification and strip direct download links from responses. (In line with CWE‑287 remediation.)
  • Enable logging and monitoring of share link access to detect unauthorized downloads.

Generated by OpenCVE AI on April 17, 2026 at 15:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8vrh-3pm2-v4v6 FileBrowser Quantum: Password Protection Not Enforced on Shared File Links
History

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Gtsteffaniak filebrowser Quantum
CPEs cpe:2.3:a:gtsteffaniak:filebrowser_quantum:*:*:*:*:*:*:*:*
cpe:2.3:a:gtsteffaniak:filebrowser_quantum:1.1.3:beta:*:*:*:*:*:*
Vendors & Products Gtsteffaniak filebrowser Quantum
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Gtsteffaniak
Gtsteffaniak filebrowser
Vendors & Products Gtsteffaniak
Gtsteffaniak filebrowser

Wed, 25 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Description FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue.
Title FileBrowser Quantum: Password Protection Not Enforced on Shared File Links
Weaknesses CWE-200
CWE-287
CWE-288
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gtsteffaniak Filebrowser Filebrowser Quantum
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T17:11:18.122Z

Reserved: 2026-02-20T19:43:14.602Z

Link: CVE-2026-27611

cve-icon Vulnrichment

Updated: 2026-02-27T17:10:38.672Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T03:16:05.463

Modified: 2026-02-27T19:12:25.640

Link: CVE-2026-27611

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:45:15Z

Weaknesses