File Browser has an Authorization Policy Bypass in its Public Share Download Flow
Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and below contain a permission enforcement bypass which allows users who are denied download privileges (perm.download = false) but granted share privileges (perm.share = true) to exfiltrate file content by creating public share links. While the direct raw download endpoint (/api/raw/) correctly enforces the download permission, the share creation endpoint only checks Perm.Share, and the public download handler (/api/public/dl/<hash>) serves file content without verifying that the original file owner has download permission. This means any authenticated user with share access can circumvent download restrictions by sharing a file and then retrieving it via the unauthenticated public download URL. The vulnerability undermines data-loss prevention and role-separation policies, as restricted users can publicly distribute files they are explicitly blocked from downloading directly. This issue has been fixed in version 2.62.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
https://github.com/filebrowser/filebrowserGo | <= 2.61.0 | — |
Affected products
1- Range: < 2.62.0
Patches
109a26166b4f7fix: make perm.share depend on share.download
2 files changed · +5 −2
frontend/src/views/files/FileListing.vue+4 −1 modified@@ -480,7 +480,10 @@ const headerButtons = computed(() => { shell: authStore.user?.perm.execute && enableExec, delete: fileStore.selectedCount > 0 && authStore.user?.perm.delete, rename: fileStore.selectedCount === 1 && authStore.user?.perm.rename, - share: fileStore.selectedCount === 1 && authStore.user?.perm.share, + share: + fileStore.selectedCount === 1 && + authStore.user?.perm.share && + authStore.user?.perm.download, move: fileStore.selectedCount > 0 && authStore.user?.perm.rename, copy: fileStore.selectedCount > 0 && authStore.user?.perm.create, };
http/share.go+1 −1 modified@@ -20,7 +20,7 @@ import ( func withPermShare(fn handleFunc) handleFunc { return withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) { - if !d.user.Perm.Share { + if !d.user.Perm.Share || !d.user.Perm.Download { return http.StatusForbidden, nil }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-68j5-4m99-w9w9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32761ghsaADVISORY
- github.com/filebrowser/filebrowser/commit/09a26166b4f79446e7174c017380f6db45444e32ghsax_refsource_MISCWEB
- github.com/filebrowser/filebrowser/releases/tag/v2.62.0ghsax_refsource_MISCWEB
- github.com/filebrowser/filebrowser/security/advisories/GHSA-68j5-4m99-w9w9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.