CVE-2026-32761

Exploit

EPSS 0.42%
Veröffentlicht 19.03.2026 23:45:33
Zuletzt bearbeitet 23.03.2026 16:56:04
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

File Browser has an Authorization Policy Bypass in its Public Share Download Flow

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and below contain a permission enforcement bypass which allows users who are denied download privileges (perm.download = false) but granted share privileges (perm.share = true) to exfiltrate file content by creating public share links. While the direct raw download endpoint (/api/raw/) correctly enforces the download permission, the share creation endpoint only checks Perm.Share, and the public download handler (/api/public/dl/<hash>) serves file content without verifying that the original file owner has download permission. This means any authenticated user with share access can circumvent download restrictions by sharing a file and then retrieving it via the unauthenticated public download URL. The vulnerability undermines data-loss prevention and role-separation policies, as restricted users can publicly distribute files they are explicitly blocked from downloading directly. This issue has been fixed in version 2.62.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 3 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Filebrowser ≫ Filebrowser Version < 2.62.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.42%	0.338

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0

Product

Release Notes

https://github.com/filebrowser/filebrowser/security/advisories/GHSA-68j5-4m99-w9w9

Vendor Advisory

Exploit

https://github.com/filebrowser/filebrowser/commit/09a26166b4f79446e7174c017380f6db45444e32

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-32761

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-32761

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-32761

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-32761