Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, a low-privileged authenticated user of filebrowser (with create + delete permissions in their own isolated scope) can silently destroy share-link records belonging to any other user — including the administrator — by performing a legitimate DELETE on a file in their own directory whose logical path happens to be a byte-prefix of another user's stored share.Link.Path. The file contents of the victim are not exposed, but the victim's share links are irrevocably wiped. This vulnerability is fixed in 2.63.6.
Published: 2026-06-25
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

File Browser permits a low‑privileged authenticated user, with create and delete permissions only in their own scoped directory, to silently erase share‑link records of any other user, including administrators, by sending a legitimate DELETE request for a file whose logical path is a byte‑prefix of another user’s stored share link path. The victim’s file data remain protected, but the shared access granted to the victim is irreversibly lost. This flaw represents a privilege escalation and unauthorized data deletion vulnerability, identified as CWE‑639.

Affected Systems

The vulnerability affects File Browser releases prior to version 2.63.6. Users running any 2.x series filebrowser instance before the v2.63.6 release are impacted. A patch that resolves the issue is available in the 2.63.6 tag of the project."

Risk and Exploitability

The flaw carries a CVSS score of 7.2, indicating a high severity but moderate exploitability. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no widely publicized exploits yet. Attack requires authenticated access with create and delete permissions, meaning that any authenticated user with those minimal rights could exploit the bug by accessing a file path that is a prefix of another user's share link. The risk is elevated for environments where user accounts have these permissions, particularly if share links are commonly used for external access.

Generated by OpenCVE AI on June 25, 2026 at 19:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade File Browser to version 2.63.6 or later to apply the vendor‑supplied fix.
  • If an upgrade cannot be performed immediately, audit and recreate all user share links to ensure no unintended deletion has occurred, and notify users of the potential loss of shared access.
  • Review and adjust permission models so that users with create and delete rights are confined to their own directories and cannot target share link records belonging to other users.

Generated by OpenCVE AI on June 25, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5ww9-jg6q-38r7 File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix
History

Fri, 26 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Filebrowser
Filebrowser filebrowser
Vendors & Products Filebrowser
Filebrowser filebrowser

Thu, 25 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, a low-privileged authenticated user of filebrowser (with create + delete permissions in their own isolated scope) can silently destroy share-link records belonging to any other user — including the administrator — by performing a legitimate DELETE on a file in their own directory whose logical path happens to be a byte-prefix of another user's stored share.Link.Path. The file contents of the victim are not exposed, but the victim's share links are irrevocably wiped. This vulnerability is fixed in 2.63.6.
Title File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Filebrowser Filebrowser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T13:54:00.964Z

Reserved: 2026-06-11T18:44:47.762Z

Link: CVE-2026-54097

cve-icon Vulnrichment

Updated: 2026-06-25T18:58:17.567Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:00:12Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key