High severityNVD Advisory· Published Feb 25, 2026· Updated Feb 27, 2026
FileBrowser Quantum: Password Protection Not Enforced on Shared File Links
CVE-2026-27611
Description
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/gtsteffaniak/filebrowser/backendGo | < 0.0.0-20260221163904-dbcfba993b85 | 0.0.0-20260221163904-dbcfba993b85 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/gtsteffaniak/filebrowser/backendpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 0.0.0-20260221163904-dbcfba993b85+ 1 more
- (no CPE)range: < 0.0.0-20260221163904-dbcfba993b85
- (no CPE)range: < 0.0.20260226T182644-150000.1.149.1
- Range: < 1.1.3-stable
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-8vrh-3pm2-v4v6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27611ghsaADVISORY
- github.com/gtsteffaniak/filebrowser/commit/a8c9b9419ec530568991a2f72cec4ed263f99e3cghsaWEB
- github.com/gtsteffaniak/filebrowser/commit/c51b0ee9738fa4599b409f47c5bf820ef31b4fe1ghsax_refsource_MISCWEB
- github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2026-4546ghsaWEB
News mentions
0No linked articles in our index yet.