Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, File Browser's public share handlers rebase the share owner's filesystem root to the shared directory and then evaluate descendant paths against the owner's global and per-user rules using the rebased relative path instead of the original path relative to the owner's scope. As a result, an attacker who knows a public directory share URL can access files and subdirectories that the owner explicitly blocked with rules, as long as those blocked paths are located underneath the shared directory. In the simplest case this is an unauthenticated information disclosure through `GET /api/public/share/*` and `GET /api/public/dl/*`. This vulnerability is fixed in 2.63.6.
Published: 2026-06-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

File Browser, a file‑management web interface, incorrectly evaluated user‑defined access rules for public shares, rebasing requested paths to the share root instead of the original filesystem scope. This allowed an attacker who knows a public share URL to read or list files and subdirectories that the owner had explicitly blocked, resulting in confidential data exposure without authentication.

Affected Systems

The vulnerability affects the File Browser application (identified by the vendor/product name File Browser) in all releases prior to version 2.63.6. Users running versions 2.63.5 or older are at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a substantial severity, and while the EPSS score is currently unavailable and the issue is not listed in the CISA KEV catalog, the condition that a known public share URL is required could still enable widespread exploitation. An attacker can simply perform unauthenticated GET requests to /api/public/share/* or /api/public/dl/* paths, bypassing intended restrictions and revealing sensitive filesystem contents beneath the shared directory.

Generated by OpenCVE AI on June 25, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade File Browser to version 2.63.6 or later to apply the fix for the path rebasing flaw.
  • If an immediate upgrade is not possible, block or remove the public share URLs to prevent unauthenticated access.
  • Verify that the public share feature is disabled on all servers or that share URLs are only exposed to trusted networks.

Generated by OpenCVE AI on June 25, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j9jx-hp4c-ghhh File Browser has incorrect access control for public directory shares via rule path rebasing
History

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Filebrowser
Filebrowser filebrowser
Vendors & Products Filebrowser
Filebrowser filebrowser

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, File Browser's public share handlers rebase the share owner's filesystem root to the shared directory and then evaluate descendant paths against the owner's global and per-user rules using the rebased relative path instead of the original path relative to the owner's scope. As a result, an attacker who knows a public directory share URL can access files and subdirectories that the owner explicitly blocked with rules, as long as those blocked paths are located underneath the shared directory. In the simplest case this is an unauthenticated information disclosure through `GET /api/public/share/*` and `GET /api/public/dl/*`. This vulnerability is fixed in 2.63.6.
Title File Browser: Incorrect access control in public directory shares via rule path rebasing
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Filebrowser Filebrowser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T18:42:39.910Z

Reserved: 2026-06-11T18:44:47.761Z

Link: CVE-2026-54091

cve-icon Vulnrichment

Updated: 2026-06-26T18:37:58.735Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T21:30:11Z

Weaknesses