VYPR
← All advisories
High severityNVD Advisory· Published Feb 25, 2026· Updated Feb 27, 2026

FileBrowser Quantum: Password Protection Not Enforced on Shared File Links

CVE-2026-27611

Description

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FileBrowser Quantum prior to 1.1.3-stable and 1.2.6-beta exposes a direct download link via the share API, allowing download of password-protected files without the password.

FileBrowser Quantum is a free, self-hosted, web-based file manager [2]. Prior to versions 1.1.3-stable and 1.2.6-beta, a vulnerability exists in the share feature: when a user creates a password-protected share, the public API endpoint /public/api/shareinfo returns a downloadURL field that includes an authentication token, even if the request does not supply the password [1][3]. This exposes the file directly.

An attacker only needs the share link (the hash) to exploit this flaw. By sending a simple GET request to https://example.com/public/api/shareinfo?hash=, the attacker receives the full share details, including the download URL. No password is required, and the attacker can then use that URL to download the file [3]. The share need not be configured for anonymous access; any share with a password is vulnerable.

The impact is a complete bypass of password protection. Any file shared with a password is accessible to anyone who obtains the share link, undermining the intended security control. This could lead to unauthorized disclosure of sensitive data.

The fix, implemented in commit a8c9b94 [4], removes the shareInfoHandler endpoint entirely, preventing the unauthorized exposure of the download token. Users should upgrade to version 1.1.3-stable or 1.2.6-beta (or later). No workaround is documented; administrators on affected versions should avoid using password-protected shares until upgraded.

References
  1. NVD - CVE-2026-27611
  2. GitHub - gtsteffaniak/filebrowser: 📂 Web File Browser
  3. Bypassable share passwords
  4. updated · gtsteffaniak/filebrowser@a8c9b94

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/gtsteffaniak/filebrowser/backendGo
< 0.0.0-20260221163904-dbcfba993b850.0.0-20260221163904-dbcfba993b85

Affected products

2
  • Filebrowser/Filebrowserllm-fuzzy
    Range: <1.1.3-stable, <1. <1.2.6-beta
  • gtsteffaniak/filebrowserv5
    Range: < 1.1.3-stable

Patches

2
a8c9b9419ec5

updated

https://github.com/gtsteffaniak/filebrowserGraham SteffaniakFeb 22, 2026via ghsa
commit
1 file changed · +0 40
  • backend/http/share.go+0 40 modified
    @@ -592,46 +592,6 @@ func getShareURL(r *http.Request, hash string, isDirectDownload bool, token stri
 	return shareURL
 }
 
-// shareInfoHandler retrieves share information by hash.
-// @Summary Get share information by hash
-// @Description Returns information about a share link based on its hash. This endpoint is publicly accessible and can be used with or without authentication.
-// @Tags Shares
-// @Accept json
-// @Produce json
-// @Param hash query string true "Hash of the share link"
-// @Success 200 {object} share.CommonShare "Share information"
-// @Failure 404 {object} map[string]string "Share hash not found"
-// @Router /public/api/shareinfo [get]
-func shareInfoHandler(w http.ResponseWriter, r *http.Request, d *requestContext) (int, error) {
-	hash := r.URL.Query().Get("hash")
-	// Get the file link by hash (need full Link to get Token)
-	shareLink, err := store.Share.GetByHash(hash)
-	if err != nil {
-		return http.StatusNotFound, fmt.Errorf("share hash not found")
-	}
-	commonShare := shareLink.CommonShare
-	commonShare.ShareURL = getShareURL(r, hash, false, "")
-	_, _, err = getShareImagePartsHelper(shareLink, true)
-	if err == nil {
-		commonShare.BannerUrl = fmt.Sprintf("%spublic/api/share/image?banner=true&hash=%s", config.Server.BaseURL, hash)
-	}
-	_, _, err = getShareImagePartsHelper(shareLink, false)
-	if err == nil {
-		commonShare.FaviconUrl = fmt.Sprintf("%spublic/api/share/image?favicon=true&hash=%s", config.Server.BaseURL, hash)
-	}
-	commonShare.Source = ""
-	commonShare.Path = ""
-	commonShare.SidebarLinks = []users.SidebarLink{}
-	for _, link := range shareLink.SidebarLinks {
-		if link.Category == "download" && shareLink.ShareType == "upload" {
-			continue
-		} else {
-			commonShare.SidebarLinks = append(commonShare.SidebarLinks, link)
-		}
-	}
-	return renderJSON(w, r, commonShare)
-}
-
 func getSharePasswordHash(body share.CreateBody) (data []byte, statuscode int, err error) {
 	if body.Password == "" {
 		return nil, 0, nil
c51b0ee9738f

updated public share handler

https://github.com/gtsteffaniak/filebrowserGraham SteffaniakFeb 22, 2026via ghsa
commit
1 file changed · +41 0
  • backend/http/public.go+41 0 modified
    @@ -12,6 +12,7 @@ import (
 	"github.com/gtsteffaniak/filebrowser/backend/common/settings"
 	"github.com/gtsteffaniak/filebrowser/backend/common/utils"
 	"github.com/gtsteffaniak/filebrowser/backend/database/share"
+	"github.com/gtsteffaniak/filebrowser/backend/database/users"
 	"github.com/gtsteffaniak/filebrowser/backend/preview"
 	"github.com/gtsteffaniak/go-logger/logger"
 
@@ -490,3 +491,43 @@ func getShareImagePartsHelper(share *share.Link, isBanner bool) (string, string,
 
 	return sourceName, assetPath, nil
 }
+
+// shareInfoHandler retrieves share information by hash.
+// @Summary Get share information by hash
+// @Description Returns information about a share link based on its hash. This endpoint is publicly accessible and can be used with or without authentication.
+// @Tags Shares
+// @Accept json
+// @Produce json
+// @Param hash query string true "Hash of the share link"
+// @Success 200 {object} share.CommonShare "Share information"
+// @Failure 404 {object} map[string]string "Share hash not found"
+// @Router /public/api/shareinfo [get]
+func shareInfoHandler(w http.ResponseWriter, r *http.Request, d *requestContext) (int, error) {
+	hash := r.URL.Query().Get("hash")
+	// Get the file link by hash (need full Link to get Token)
+	shareLink, err := store.Share.GetByHash(hash)
+	if err != nil {
+		return http.StatusNotFound, fmt.Errorf("share hash not found")
+	}
+	commonShare := shareLink.CommonShare
+	commonShare.ShareURL = getShareURL(r, hash, false, "")
+	_, _, err = getShareImagePartsHelper(shareLink, true)
+	if err == nil {
+		commonShare.BannerUrl = fmt.Sprintf("%spublic/api/share/image?banner=true&hash=%s", config.Server.BaseURL, hash)
+	}
+	_, _, err = getShareImagePartsHelper(shareLink, false)
+	if err == nil {
+		commonShare.FaviconUrl = fmt.Sprintf("%spublic/api/share/image?favicon=true&hash=%s", config.Server.BaseURL, hash)
+	}
+	commonShare.Source = ""
+	commonShare.Path = ""
+	commonShare.SidebarLinks = []users.SidebarLink{}
+	for _, link := range shareLink.SidebarLinks {
+		if link.Category == "download" && shareLink.ShareType == "upload" {
+			continue
+		} else {
+			commonShare.SidebarLinks = append(commonShare.SidebarLinks, link)
+		}
+	}
+	return renderJSON(w, r, commonShare)
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.