Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, when an admin revokes a user's Share and Download permissions, existing share links created by that user remain fully accessible to unauthenticated users. The public share download handler does not re-check the share owner's current permissions. This vulnerability is fixed in 2.63.1.
Published: 2026-04-07
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data disclosure via lingering share links
Action: Immediate Patch
AI Analysis

Impact

File Browser allows users to create share links that enable others to download content. In versions prior to 2.63.1, when an administrator revokes a user’s Share and Download permissions, the system fails to re‑evaluate those permissions for existing links, meaning anyone who knows the URL can still download the file. This leads to unauthorized data disclosure and is classified under CWE‑863, Missing Authorization. The CVSS score of 8.2 indicates a high‑severity vulnerability.

Affected Systems

The affected product is File Browser, a file‑management interface. All releases earlier than version 2.63.1 are impacted; the fix is included in 2.63.1 and subsequent releases.

Risk and Exploitability

With a CVSS score of 8.2 the risk is substantial. The EPSS score is not available and the issue is not listed in CISA’s KEV catalog, but the vulnerability can be exploited by anyone possessing a previously issued share link. Since no authentication is required and the flaw stems from a missing permission check, the attack vector is likely to be a simple URL request to the public download endpoint. The potential impact is full disclosure of files that were intended to be restricted after permission revocation.

Generated by OpenCVE AI on April 7, 2026 at 22:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade File Browser to version 2.63.1 or newer to eliminate the permission re‑check bypass.
  • If an upgrade cannot be performed immediately, delete or invalidate all existing share links and disable the sharing feature until a patch is applied.
  • Monitor log files for unauthorized download attempts that match known share link patterns.
  • Review user permissions regularly to ensure no unintended share links remain active.

Generated by OpenCVE AI on April 7, 2026 at 22:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v9w4-gm2x-6rvf File Browser share links remain accessible after Share/Download permissions are revoked
History

Thu, 16 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Filebrowser
Filebrowser filebrowser
Vendors & Products Filebrowser
Filebrowser filebrowser

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, when an admin revokes a user's Share and Download permissions, existing share links created by that user remain fully accessible to unauthenticated users. The public share download handler does not re-check the share owner's current permissions. This vulnerability is fixed in 2.63.1.
Title File Browser share links remain accessible after Share/Download permissions are revoked
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Filebrowser Filebrowser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T18:26:43.881Z

Reserved: 2026-04-03T21:25:12.162Z

Link: CVE-2026-35604

cve-icon Vulnrichment

Updated: 2026-04-07T18:26:39.371Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T17:16:34.443

Modified: 2026-04-16T18:30:57.773

Link: CVE-2026-35604

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:47:59Z

Weaknesses