Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and below contain a permission enforcement bypass which allows users who are denied download privileges (perm.download = false) but granted share privileges (perm.share = true) to exfiltrate file content by creating public share links. While the direct raw download endpoint (/api/raw/) correctly enforces the download permission, the share creation endpoint only checks Perm.Share, and the public download handler (/api/public/dl/<hash>) serves file content without verifying that the original file owner has download permission. This means any authenticated user with share access can circumvent download restrictions by sharing a file and then retrieving it via the unauthenticated public download URL. The vulnerability undermines data-loss prevention and role-separation policies, as restricted users can publicly distribute files they are explicitly blocked from downloading directly. This issue has been fixed in version 2.62.0.
Published: 2026-03-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data exfiltration via unrestricted public download links
Action: Immediate Patch
AI Analysis

Impact

Version 2.61.0 and earlier of File Browser allow a permission enforcement bypass that gives users who lack explicit download rights but have share rights the ability to obtain file contents. The interface creates a public share URL and the download handler serves the file without re‑checking download permissions, allowing authenticated users to circumvent restrictions. This undermines data‑loss prevention and role segregation, exposing sensitive files to unauthorized access.

Affected Systems

File Browser, versions 2.61.0 and below are vulnerable. The issue was catalogued under the filebrowser:filebrowser product line. No other vendor or product variants are listed as affected.

Risk and Exploitability

The CVSS score of 6.5 classifies the vulnerability as moderate severity; EPSS indicates an exceptionally low probability of exploitation (<1 %). The attack vector requires authentication and possession of share privileges, meaning only authorized users can exploit the flaw. Since the exploit does not rely on untrusted input or privilege escalation, the scope is limited to file data exfiltration rather than full system compromise. The lack of a CISA KEV listing further reflects the relatively low exploit likelihood.

Generated by OpenCVE AI on March 23, 2026 at 18:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade File Browser to version 2.62.0 or later, which contains the fix for the share download bypass.

Generated by OpenCVE AI on March 23, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-68j5-4m99-w9w9 File Browser has an Authorization Policy Bypass in Public Share Download Flow
History

Mon, 23 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Filebrowser
Filebrowser filebrowser
Vendors & Products Filebrowser
Filebrowser filebrowser

Fri, 20 Mar 2026 00:00:00 +0000

Type Values Removed Values Added
Description File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and below contain a permission enforcement bypass which allows users who are denied download privileges (perm.download = false) but granted share privileges (perm.share = true) to exfiltrate file content by creating public share links. While the direct raw download endpoint (/api/raw/) correctly enforces the download permission, the share creation endpoint only checks Perm.Share, and the public download handler (/api/public/dl/<hash>) serves file content without verifying that the original file owner has download permission. This means any authenticated user with share access can circumvent download restrictions by sharing a file and then retrieving it via the unauthenticated public download URL. The vulnerability undermines data-loss prevention and role-separation policies, as restricted users can publicly distribute files they are explicitly blocked from downloading directly. This issue has been fixed in version 2.62.0.
Title File Browser has an Authorization Policy Bypass in its Public Share Download Flow
Weaknesses CWE-284
CWE-639
CWE-863
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Filebrowser Filebrowser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-21T03:04:15.817Z

Reserved: 2026-03-13T18:53:03.533Z

Link: CVE-2026-32761

cve-icon Vulnrichment

Updated: 2026-03-21T03:04:11.786Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T00:16:17.617

Modified: 2026-03-23T16:56:04.520

Link: CVE-2026-32761

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:10:29Z

Weaknesses