Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.7, `POST /api/share/<path>` accepts an authenticated request for an arbitrary path and stores a public share record without checking whether the target file currently exists. Later, when a file is created at that same path, the previously created public share immediately becomes valid and exposes the new file through `GET /api/public/dl/<hash>`. This vulnerability is fixed in 2.63.7.
Published: 2026-06-25
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

File Browser was found to allow an authenticated user to create a public share for any specified path, even if the target file did not yet exist. When a file is later created at that path, the pre‑created share becomes valid and can be used to download the new file via an unauthenticated endpoint. This flaw permits authenticated attackers to expose arbitrary files publicly, compromising confidentiality without needing further privileges.

Affected Systems

The vulnerability affects the File Browser product from the filebrowser vendor. All released versions prior to 2.63.7 (including 2.63.6 and earlier) are impacted. No other vendors or products are listed.

Risk and Exploitability

With a CVSS score of 8.4 the risk is high. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. An attack requires valid user credentials to create the share; once the share is created, an unauthenticated download is possible. The flaw is sufficiently exploitable that an attacker with authentication can achieve public data exposure quickly.

Generated by OpenCVE AI on June 25, 2026 at 19:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update File Browser to version 2.63.7 or later, which validates file existence before creating a public share.
  • Revoke or restrict the credentials of users who can create public shares if an immediate upgrade is not possible.
  • Implement monitoring to detect unexpected creation of public shares for non‑existent paths and investigate any anomalies.

Generated by OpenCVE AI on June 25, 2026 at 19:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3q2p-72cj-682c File Browser: Improper Access Control Occurs via Pre-Created Public Share for a Non-existent Path
History

Thu, 25 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Filebrowser
Filebrowser filebrowser
Vendors & Products Filebrowser
Filebrowser filebrowser

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.7, `POST /api/share/<path>` accepts an authenticated request for an arbitrary path and stores a public share record without checking whether the target file currently exists. Later, when a file is created at that same path, the previously created public share immediately becomes valid and exposes the new file through `GET /api/public/dl/<hash>`. This vulnerability is fixed in 2.63.7.
Title File Browser: Improper Access Control Occurs via Pre-Created Public Share for a Non-existent Path
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Filebrowser Filebrowser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T18:36:04.526Z

Reserved: 2026-06-11T18:44:47.762Z

Link: CVE-2026-54096

cve-icon Vulnrichment

Updated: 2026-06-25T18:35:19.045Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T21:30:11Z

Weaknesses