FileBrowser Quantum Incomplete Remediation of CVE-2026-27611: Password-Protected Share Bypass via /public/api/share/info
Description
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FileBrowser Quantum prior to 1.2.2-stable and 1.3.1-beta insecurely discloses a tokenized downloadURL via /public/api/share/info for password-protected shares, allowing unauthorized file access.
Vulnerability
Overview
The vulnerability stems from an incomplete remediation of CVE-2026-27611 in FileBrowser Quantum, a self-hosted file manager. The issue resides in the /public/api/share/info endpoint, which continues to disclose a downloadURL containing an authentication token even when a share is password-protected, as demonstrated by the advisory [3]. Prior versions (before 1.2.2-stable and 1.3.1-beta) still leak the token, allowing anyone with the share hash to download files without supplying the required password.
Exploitation
Process
An attacker who knows or discovers a share hash can directly query the public API endpoint using a simple HTTP request, as shown in the advisory: a curl command to /public/api/share/info?hash=(share-hash) returns a downloadURL field that includes a token parameter [3]. The example response in the advisory confirms that even when hasPassword is true, the downloadURL is included in the response, and the token within that URL can be used to download files without authentication [3].
Impact
Successful exploitation allows an unauthenticated attacker to bypass password protection on publicly shared files and download them directly. The token in the downloadURL provides a time-limited or one-time access credential, but its exposure undermines the intended access control mechanism [1][3]. This can lead to unauthorized exposure of sensitive files shared with password protection.
Mitigation
The vulnerability is fixed in versions 1.2.2-stable and 1.3.1-beta, as noted in the release notes for v1.2.2-stable [4]. Users running any prior version should upgrade immediately. The advisory recommends updating to the latest stable or beta release that includes the full patch [3].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/gtsteffaniak/filebrowser/backendGo | < 0.0.0-20260307130210-09713b32a5f6 | 0.0.0-20260307130210-09713b32a5f6 |
Affected products
2- Range: <1.3.1-beta, <1.2.2-stable
- gtsteffaniak/filebrowserv5Range: >= 1.3.0-beta, < 1.3.1-beta
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-525j-95gf-766fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30933ghsaADVISORY
- github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stableghsax_refsource_MISCWEB
- github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-betaghsax_refsource_MISCWEB
- github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766fghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.