Description
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.
Published: 2026-03-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure in Password‑Protected Shares
Action: Patch Upgrade
AI Analysis

Impact

FileBrowser Quantum previously implemented a fix for CVE‑2026‑27611 that was later found incomplete. In affected releases, password‑protected shares continue to expose a tokenized download URL through the /public/api/share/info endpoint. This lapse allows an unauthenticated attacker to obtain a direct download link to resources that the share protection was intended to guard, thereby disclosing confidential data. The weakness aligns with CWE‑200 (Information Exposure), CWE‑306 (Missing Authentication), and CWE‑602 (Improper Verification of Authorization).

Affected Systems

The vulnerability applies to gtsteffaniak’s FileBrowser Quantum web‑based file manager. All product releases prior to 1.2.2‑stable and 1.3.1‑beta are affected, including 1.2.1‑stable and 1.3.0‑beta. Users running these versions should consider them at risk.

Risk and Exploitability

The CVSS score of 7.5 denotes high severity, while the EPSS score of less than 1 % indicates a low probability of real‑world exploitation at this time. The weakness is not listed in the CISA KEV catalog, reflecting its relatively low prevalence. Attackers can exploit the flaw remotely by sending crafted requests to /public/api/share/info, revealing the download URL even when the share is password protected. No privilege escalation or code execution is involved, but the data exposure could support subsequent attacks.

Generated by OpenCVE AI on April 16, 2026 at 09:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading to version 1.3.1‑beta or 1.2.2‑stable, which removes the download URL exposure.
  • If an upgrade is not immediately feasible, restrict external access to the /public/api/share/info endpoint using firewall rules or reverse‑proxy authentication to prevent unauthenticated disclosure.
  • After configuration changes, validate that password‑protected shares no longer return tokenized download URLs by testing the API and monitoring logs for anomalous access patterns.

Generated by OpenCVE AI on April 16, 2026 at 09:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-525j-95gf-766f FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info
History

Wed, 18 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Filebrowser
Filebrowser filebrowser
CPEs cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*
cpe:2.3:a:filebrowser:filebrowser:1.2.1:stable:*:*:*:*:*:*
cpe:2.3:a:filebrowser:filebrowser:1.3.0:beta:*:*:*:*:*:*
Vendors & Products Filebrowser
Filebrowser filebrowser

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Gtsteffaniak
Gtsteffaniak filebrowser
Vendors & Products Gtsteffaniak
Gtsteffaniak filebrowser

Tue, 10 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.
Title FileBrowser Quantum Incomplete Remediation of CVE-2026-27611: Password-Protected Share Bypass via /public/api/share/info
Weaknesses CWE-200
CWE-306
CWE-602
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Filebrowser Filebrowser
Gtsteffaniak Filebrowser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T16:41:10.543Z

Reserved: 2026-03-07T16:40:05.885Z

Link: CVE-2026-30933

cve-icon Vulnrichment

Updated: 2026-03-10T16:40:56.028Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:53.070

Modified: 2026-03-18T17:13:34.240

Link: CVE-2026-30933

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:00:14Z

Weaknesses