Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the resourceGetHandler in http/resource.go returns full text file content without checking the Perm.Download permission flag. All three other content-serving endpoints (/api/raw, /api/preview, /api/subtitle) correctly verify this permission before serving content. A user with download: false can read any text file within their scope through two bypass paths. This vulnerability is fixed in 2.63.1.
Published: 2026-04-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disclosure of file content
Action: Patch Now
AI Analysis

Impact

File Browser, a file management interface, contains an access control flaw in the resourceGetHandler of http/resource.go. Before version 2.63.1 this handler delivers the full text of any file located in the configured directory, bypassing the Perm.Download permission check. An attacker with a user account that has download: false can read arbitrary text files within their permitted scope, constituting a confidentiality breach and is classified as CWE‑862 Access Control Failure.

Affected Systems

The vulnerability affects the File Browser product (identified as filebrowser:filebrowser). All releases prior to version 2.63.1 are vulnerable. The flaw is present in the /api/resources endpoint when requesting text file content. Upgrading to 2.63.1 or later removes the bypass by enforcing the download permission on all content‑serving paths.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity, with EPSS data unavailable and no inclusion in CISA’s KEV catalog. The attack vector is network‑based; an attacker who authenticates to the File Browser instance and possesses a user identity lacking download permission can issue a simple HTTP GET to /api/resources and obtain the file body. No privilege escalation or remote code execution is needed, but the confidentiality impact can be significant for sensitive directories.

Generated by OpenCVE AI on April 7, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade File Browser to version 2.63.1 or newer, which enforces download permissions for all endpoints.
  • Verify that the download permission flag is correctly configured for each user role and audit access controls.
  • Restrict access to the File Browser instance to trusted IP ranges using network firewalls or reverse proxies.
  • Monitor logs for anomalous /api/resources requests that return file contents from users with download: false.

Generated by OpenCVE AI on April 7, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-67cg-cpj7-qgc9 File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check
History

Thu, 16 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 09 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Filebrowser
Filebrowser filebrowser
Vendors & Products Filebrowser
Filebrowser filebrowser

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the resourceGetHandler in http/resource.go returns full text file content without checking the Perm.Download permission flag. All three other content-serving endpoints (/api/raw, /api/preview, /api/subtitle) correctly verify this permission before serving content. A user with download: false can read any text file within their scope through two bypass paths. This vulnerability is fixed in 2.63.1.
Title File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Filebrowser Filebrowser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T16:18:22.881Z

Reserved: 2026-04-03T21:25:12.162Z

Link: CVE-2026-35606

cve-icon Vulnrichment

Updated: 2026-04-09T15:15:19.731Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T17:16:34.737

Modified: 2026-04-16T18:16:28.757

Link: CVE-2026-35606

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:47:55Z

Weaknesses