FileBrowser Quantum: unauthenticated user share share info
Description
Impact
Some sensitive info -- such as source and path can get exposed.
Patches
Update to the latest version
### Workarounds no
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FileBrowser Quantum v1.4.16 and earlier expose sensitive source and path information to unauthenticated users through share functionality.
Vulnerability
FileBrowser Quantum versions prior to v1.4.16 allow an unauthenticated attacker to view sensitive metadata (source names and paths) due to improper privilege checks in user-scope assignment during defaults application. The flaw exists in the ApplyUserDefaults function, where the check for scopes was incorrectly adjusted, permitting anonymous users to inherit source-scope information intended only for authenticated users [1][4]. Affected versions: all before v1.4.16.
Exploitation
An attacker needs no authentication, network access to a vulnerable FileBrowser instance, and knowledge of a valid share link or public endpoint. The bug is triggered when ApplyUserDefaults processes an anonymous user; it now skips default application for anonymous users entirely, preventing the scope leak [4]. In vulnerable versions, the condition if len(u.Scopes) == 0 would allow anonymous users to receive default scopes, exposing source configuration details.
Impact
Successful exploitation leaks source names and file paths that should be hidden from unauthenticated users. This could aid further reconnaissance or targeted attacks against the file system. The disclosure of path information has a CVSS v4.0 High severity (GHSA rating) [1], though the advisory does not detail exact CIA scores; the primary compromise is confidentiality of system metadata.
Mitigation
Upgrade to FileBrowser Quantum v1.4.16, released on or about May 2026, which introduces a check returning early for the "anonymous" user in ApplyUserDefaults [4]. No workarounds are described in the advisory [1][3]. There is no indication the CVE is listed on the CISA KEV.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: < 1.2.1-stable.0.20260514154726-1802e1281135
Patches
11802e1281135updated to fix critical bug (#2424) (#2427)
2 files changed · +10 −1
backend/common/settings/settings.go+5 −1 modified@@ -133,6 +133,10 @@ func ApplyUserDefaults(u *users.User) { // FileLoading settings u.FileLoading = d.FileLoading + if u.Username == "anonymous" { + return + } + // Permissions u.Permissions.Api = d.Account.Permissions.Api u.Permissions.Admin = d.Account.Permissions.Admin @@ -147,7 +151,7 @@ func ApplyUserDefaults(u *users.User) { u.LoginMethod = users.LoginMethod(d.Account.LoginMethod) } - if len(u.Scopes) == 0 && u.Username != "anonymous" { + if len(u.Scopes) == 0 { for _, source := range Config.Server.Sources { if source.Config.DefaultEnabled { u.Scopes = append(u.Scopes, users.SourceScope{
CHANGELOG.md+5 −0 modified@@ -2,6 +2,11 @@ All notable changes to this project will be documented in this file. For commit guidelines, please refer to [Standard Version](https://github.com/conventional-changelog/standard-version). +## v1.4.1 + + **Security**: + - Fix critical: unauthenticated user can view source info + ## v1.4.0 **New Features**:
Vulnerability mechanics
Root cause
"Missing early return for anonymous users in ApplyUserDefaults allows sensitive default settings (source and path info) to be applied to unauthenticated sessions."
Attack vector
An unauthenticated attacker can access the application as the "anonymous" user. Because ApplyUserDefaults no longer returns early for anonymous users (the patch adds that guard), the function proceeds to apply default permissions, scopes, and file-loading settings—including source and path information—to the anonymous session. The attacker simply sends a request to any endpoint that triggers user-default application; no authentication or special payload is required. The advisory confirms this exposes "source and path" details [patch_id=646457].
Affected code
The vulnerability resides in `backend/common/settings/settings.go` in the `ApplyUserDefaults` function. The function previously did not return early for the "anonymous" user, so it would apply default settings—including source and path information from `Config.Server.Sources`—to unauthenticated sessions [patch_id=646457].
What the fix does
The patch adds an early return at the top of ApplyUserDefaults when `u.Username == "anonymous"`, preventing any default settings from being applied to unauthenticated sessions [patch_id=646457]. It also removes the `u.Username != "anonymous"` condition from the scope-application block, so that anonymous users who have no scopes also skip scope assignment. Together these changes ensure that sensitive configuration data (sources, paths, permissions) is never leaked to unauthenticated users.
Preconditions
- authThe attacker must be unauthenticated (i.e., accessing the application as the 'anonymous' user).
- networkThe attacker must be able to reach the File Browser web interface over the network.
Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.