Vulnerability-Lookup

CVE-2026-32761 (GCVE-0-2026-32761)

Vulnerability from cvelistv5 – Published: 2026-03-19 23:45 – Updated: 2026-03-21 03:04

Title

File Browser has an Authorization Policy Bypass in its Public Share Download Flow

Summary

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and below contain a permission enforcement bypass which allows users who are denied download privileges (perm.download = false) but granted share privileges (perm.share = true) to exfiltrate file content by creating public share links. While the direct raw download endpoint (/api/raw/) correctly enforces the download permission, the share creation endpoint only checks Perm.Share, and the public download handler (/api/public/dl/<hash>) serves file content without verifying that the original file owner has download permission. This means any authenticated user with share access can circumvent download restrictions by sharing a file and then retrieving it via the unauthenticated public download URL. The vulnerability undermines data-loss prevention and role-separation policies, as restricted users can publicly distribute files they are explicitly blocked from downloading directly. This issue has been fixed in version 2.62.0.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-284 - Improper Access Control
CWE-639 - Authorization Bypass Through User-Controlled Key
CWE-863 - Incorrect Authorization

Assigner

GitHub_M

References

URL

Tags

	https://github.com/filebrowser/filebrowser/securi…	x_refsource_CONFIRM
	https://github.com/filebrowser/filebrowser/commit…	x_refsource_MISC
	https://github.com/filebrowser/filebrowser/releas…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	filebrowser	filebrowser	Affected: < 2.62.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32761",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-21T03:03:41.892908Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-21T03:04:15.817Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "filebrowser",
          "vendor": "filebrowser",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.62.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and below contain a permission enforcement bypass which allows users who are denied download privileges (perm.download = false) but granted share privileges (perm.share = true) to exfiltrate file content by creating public share links. While the direct raw download endpoint (/api/raw/) correctly enforces the download permission, the share creation endpoint only checks Perm.Share, and the public download handler (/api/public/dl/\u003chash\u003e) serves file content without verifying that the original file owner has download permission. This means any authenticated user with share access can circumvent download restrictions by sharing a file and then retrieving it via the unauthenticated public download URL. The vulnerability undermines data-loss prevention and role-separation policies, as restricted users can publicly distribute files they are explicitly blocked from downloading directly. This issue has been fixed in version 2.62.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-19T23:45:33.784Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-68j5-4m99-w9w9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-68j5-4m99-w9w9"
        },
        {
          "name": "https://github.com/filebrowser/filebrowser/commit/09a26166b4f79446e7174c017380f6db45444e32",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/filebrowser/filebrowser/commit/09a26166b4f79446e7174c017380f6db45444e32"
        },
        {
          "name": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0"
        }
      ],
      "source": {
        "advisory": "GHSA-68j5-4m99-w9w9",
        "discovery": "UNKNOWN"
      },
      "title": "File Browser has an Authorization Policy Bypass in its Public Share Download Flow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32761",
    "datePublished": "2026-03-19T23:45:33.784Z",
    "dateReserved": "2026-03-13T18:53:03.533Z",
    "dateUpdated": "2026-03-21T03:04:15.817Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-32761",
      "date": "2026-04-17",
      "epss": "0.00011",
      "percentile": "0.01212"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-32761\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T00:16:17.617\",\"lastModified\":\"2026-03-23T16:56:04.520\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and below contain a permission enforcement bypass which allows users who are denied download privileges (perm.download = false) but granted share privileges (perm.share = true) to exfiltrate file content by creating public share links. While the direct raw download endpoint (/api/raw/) correctly enforces the download permission, the share creation endpoint only checks Perm.Share, and the public download handler (/api/public/dl/\u003chash\u003e) serves file content without verifying that the original file owner has download permission. This means any authenticated user with share access can circumvent download restrictions by sharing a file and then retrieving it via the unauthenticated public download URL. The vulnerability undermines data-loss prevention and role-separation policies, as restricted users can publicly distribute files they are explicitly blocked from downloading directly. This issue has been fixed in version 2.62.0.\"},{\"lang\":\"es\",\"value\":\"Navegador de Archivos es una interfaz de gesti\u00f3n de archivos para cargar, eliminar, previsualizar, renombrar y editar archivos dentro de un directorio especificado. Las versiones 2.61.0 e inferiores contienen un bypass de aplicaci\u00f3n de permisos que permite a los usuarios a quienes se les deniegan los privilegios de descarga (perm.download = false) pero se les conceden privilegios de compartir (perm.share = true) exfiltrar contenido de archivos mediante la creaci\u00f3n de enlaces de compartici\u00f3n p\u00fablicos. Mientras que el endpoint de descarga directa en bruto (/api/raw/) aplica correctamente el permiso de descarga, el endpoint de creaci\u00f3n de compartici\u00f3n solo verifica Perm.Share, y el gestor de descarga p\u00fablica (/api/public/dl/) sirve contenido de archivos sin verificar que el propietario original del archivo tenga permiso de descarga. Esto significa que cualquier usuario autenticado con acceso de compartici\u00f3n puede eludir las restricciones de descarga compartiendo un archivo y luego recuper\u00e1ndolo a trav\u00e9s de la URL de descarga p\u00fablica no autenticada. La vulnerabilidad socava las pol\u00edticas de prevenci\u00f3n de p\u00e9rdida de datos y de separaci\u00f3n de roles, ya que los usuarios restringidos pueden distribuir p\u00fablicamente archivos que tienen expl\u00edcitamente bloqueada la descarga directa. Este problema ha sido solucionado en la versi\u00f3n 2.62.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"},{\"lang\":\"en\",\"value\":\"CWE-639\"},{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.62.0\",\"matchCriteriaId\":\"7E5C9E4B-8749-44EA-AB8D-1292D4C9DB65\"}]}]}],\"references\":[{\"url\":\"https://github.com/filebrowser/filebrowser/commit/09a26166b4f79446e7174c017380f6db45444e32\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/filebrowser/filebrowser/security/advisories/GHSA-68j5-4m99-w9w9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32761\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-21T03:03:41.892908Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-21T03:04:11.786Z\"}}], \"cna\": {\"title\": \"File Browser has an Authorization Policy Bypass in its Public Share Download Flow\", \"source\": {\"advisory\": \"GHSA-68j5-4m99-w9w9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"filebrowser\", \"product\": \"filebrowser\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.62.0\"}]}], \"references\": [{\"url\": \"https://github.com/filebrowser/filebrowser/security/advisories/GHSA-68j5-4m99-w9w9\", \"name\": \"https://github.com/filebrowser/filebrowser/security/advisories/GHSA-68j5-4m99-w9w9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/filebrowser/filebrowser/commit/09a26166b4f79446e7174c017380f6db45444e32\", \"name\": \"https://github.com/filebrowser/filebrowser/commit/09a26166b4f79446e7174c017380f6db45444e32\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0\", \"name\": \"https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and below contain a permission enforcement bypass which allows users who are denied download privileges (perm.download = false) but granted share privileges (perm.share = true) to exfiltrate file content by creating public share links. While the direct raw download endpoint (/api/raw/) correctly enforces the download permission, the share creation endpoint only checks Perm.Share, and the public download handler (/api/public/dl/\u003chash\u003e) serves file content without verifying that the original file owner has download permission. This means any authenticated user with share access can circumvent download restrictions by sharing a file and then retrieving it via the unauthenticated public download URL. The vulnerability undermines data-loss prevention and role-separation policies, as restricted users can publicly distribute files they are explicitly blocked from downloading directly. This issue has been fixed in version 2.62.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284: Improper Access Control\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639: Authorization Bypass Through User-Controlled Key\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863: Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-19T23:45:33.784Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-32761\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-21T03:04:15.817Z\", \"dateReserved\": \"2026-03-13T18:53:03.533Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-19T23:45:33.784Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-68J5-4M99-W9W9

Vulnerability from github – Published: 2026-03-18 12:59 – Updated: 2026-03-20 21:16

Summary

File Browser has an Authorization Policy Bypass in Public Share Download Flow

Details

Summary

A permission enforcement flaw allows users without download privileges (download=false) to still expose and retrieve file content via public share links when they retain share privileges (share=true). This bypasses intended access control policy and enables unauthorized data exfiltration to unauthenticated users. Where download restrictions are used for data-loss prevention or role separation.

Details

The backend applies inconsistent authorization checks across download paths:

Direct raw download correctly enforces Perm.Download:
[raw.go](https://github.com/filebrowser/filebrowser/blob/master/http/raw.go#82)
Share creation only enforces Perm.Share:
[share.go](https://github.com/filebrowser/filebrowser/blob/master/http/share.go#21)
Public share/download handlers serve shared content without verifying owner Perm.Download:
public.go(filebrowser/http/public.go:18)
public.go(filebrowser/http/public.go:116)

As a result, a user who is blocked from direct downloads can create a share and obtain the same file via /api/public/dl/<hash>.

PoC

Create a non-admin user with:
perm.share = true
perm.download = false
Login as that user and upload a PDF file:
POST /api/resources/nodl_secret_<rand>.pdf with Content-Type: application/pdf
Verify direct raw download is denied:
GET /api/raw/nodl_secret_<rand>.pdf
Expected and observed: 202 Accepted (blocked)
Create share for same file:
POST /api/share/nodl_secret_<rand>.pdf
Observed: 200, response includes hash (example: qxfK3JMG)
Download publicly without authentication:
GET /api/public/dl/<hash>
Observed (vulnerable): 200, Content-Type: application/pdf, and PDF bytes are returned

Live evidence captured (March 1, 2026): - create user: 201 - create file: 200 - direct /api/raw: 202 Accepted - create share: 200 - public download /api/public/dl/mxK-ppZb: 200 - public download content-type: application/pdf - public download body length: 327 bytes

Impact

This is an access control / authorization policy bypass vulnerability.

Who can exploit: Any authenticated user granted share=true but denied download.
Who is impacted: Operators and organizations relying on download restrictions to prevent data export.
What can happen: Restricted users can still distribute and retrieve files publicly, including unauthenticated access through share URLs.

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "https://github.com/filebrowser/filebrowser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.61.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32761"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T12:59:12Z",
    "nvd_published_at": "2026-03-20T00:16:17Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA permission enforcement flaw allows users without download privileges (`download=false`) to still expose and retrieve file content via public share links when they retain share privileges (`share=true`). This bypasses intended access control policy and enables unauthorized data exfiltration to unauthenticated users. Where download restrictions are used for data-loss prevention or role separation.\n\n### Details\nThe backend applies inconsistent authorization checks across download paths:\n\n- Direct raw download correctly enforces `Perm.Download`:\n  - [[raw.go](https://github.com/filebrowser/filebrowser/blob/master/http/raw.go#82)](filebrowser/http/raw.go:82)\n- Share creation only enforces `Perm.Share`:\n  - [[share.go](https://github.com/filebrowser/filebrowser/blob/master/http/share.go#21)](filebrowser/http/share.go:21)\n- Public share/download handlers serve shared content without verifying owner `Perm.Download`:\n  - [public.go](https://github.com/filebrowser/filebrowser/blob/master/http/public.go#18)(filebrowser/http/public.go:18)\n  - [public.go](https://github.com/filebrowser/filebrowser/blob/master/http/public.go#116)(filebrowser/http/public.go:116)\n\nAs a result, a user who is blocked from direct downloads can create a share and obtain the same file via `/api/public/dl/\u003chash\u003e`.\n\n### PoC\n\n1. Create a non-admin user with:\n- `perm.share = true`\n- `perm.download = false`\n\n2. Login as that user and upload a **PDF** file:\n- `POST /api/resources/nodl_secret_\u003crand\u003e.pdf` with `Content-Type: application/pdf`\n\n3. Verify direct raw download is denied:\n- `GET /api/raw/nodl_secret_\u003crand\u003e.pdf`\n- Expected and observed: `202 Accepted` (blocked)\n\n4. Create share for same file:\n- `POST /api/share/nodl_secret_\u003crand\u003e.pdf`\n- Observed: `200`, response includes `hash` (example: `qxfK3JMG`)\n\n5. Download publicly without authentication:\n- `GET /api/public/dl/\u003chash\u003e`\n- Observed (vulnerable): `200`, `Content-Type: application/pdf`, and PDF bytes are returned\n\nLive evidence captured (March 1, 2026):\n- `create user`: `201`\n- `create file`: `200`\n- `direct /api/raw`: `202 Accepted`\n- `create share`: `200`\n- `public download /api/public/dl/mxK-ppZb`: `200`\n- `public download content-type`: `application/pdf`\n- `public download body length`: `327` bytes\n\n### Impact\nThis is an **access control / authorization policy bypass** vulnerability.\n\n- **Who can exploit:** Any authenticated user granted `share=true` but denied `download`.\n- **Who is impacted:** Operators and organizations relying on download restrictions to prevent data export.\n- **What can happen:** Restricted users can still distribute and retrieve files publicly, including unauthenticated access through share URLs.",
  "id": "GHSA-68j5-4m99-w9w9",
  "modified": "2026-03-20T21:16:13Z",
  "published": "2026-03-18T12:59:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-68j5-4m99-w9w9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32761"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/commit/09a26166b4f79446e7174c017380f6db45444e32"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/filebrowser/filebrowser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "File Browser has an Authorization Policy Bypass in Public Share Download Flow"
}

FKIE_CVE-2026-32761

Vulnerability from fkie_nvd - Published: 2026-03-20 00:16 - Updated: 2026-03-23 16:56

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/filebrowser/filebrowser/commit/09a26166b4f79446e7174c017380f6db45444e32	Patch
security-advisories@github.com	https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0	Product, Release Notes
security-advisories@github.com	https://github.com/filebrowser/filebrowser/security/advisories/GHSA-68j5-4m99-w9w9	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	filebrowser	filebrowser	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7E5C9E4B-8749-44EA-AB8D-1292D4C9DB65",
              "versionEndExcluding": "2.62.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and below contain a permission enforcement bypass which allows users who are denied download privileges (perm.download = false) but granted share privileges (perm.share = true) to exfiltrate file content by creating public share links. While the direct raw download endpoint (/api/raw/) correctly enforces the download permission, the share creation endpoint only checks Perm.Share, and the public download handler (/api/public/dl/\u003chash\u003e) serves file content without verifying that the original file owner has download permission. This means any authenticated user with share access can circumvent download restrictions by sharing a file and then retrieving it via the unauthenticated public download URL. The vulnerability undermines data-loss prevention and role-separation policies, as restricted users can publicly distribute files they are explicitly blocked from downloading directly. This issue has been fixed in version 2.62.0."
    },
    {
      "lang": "es",
      "value": "Navegador de Archivos es una interfaz de gesti\u00f3n de archivos para cargar, eliminar, previsualizar, renombrar y editar archivos dentro de un directorio especificado. Las versiones 2.61.0 e inferiores contienen un bypass de aplicaci\u00f3n de permisos que permite a los usuarios a quienes se les deniegan los privilegios de descarga (perm.download = false) pero se les conceden privilegios de compartir (perm.share = true) exfiltrar contenido de archivos mediante la creaci\u00f3n de enlaces de compartici\u00f3n p\u00fablicos. Mientras que el endpoint de descarga directa en bruto (/api/raw/) aplica correctamente el permiso de descarga, el endpoint de creaci\u00f3n de compartici\u00f3n solo verifica Perm.Share, y el gestor de descarga p\u00fablica (/api/public/dl/) sirve contenido de archivos sin verificar que el propietario original del archivo tenga permiso de descarga. Esto significa que cualquier usuario autenticado con acceso de compartici\u00f3n puede eludir las restricciones de descarga compartiendo un archivo y luego recuper\u00e1ndolo a trav\u00e9s de la URL de descarga p\u00fablica no autenticada. La vulnerabilidad socava las pol\u00edticas de prevenci\u00f3n de p\u00e9rdida de datos y de separaci\u00f3n de roles, ya que los usuarios restringidos pueden distribuir p\u00fablicamente archivos que tienen expl\u00edcitamente bloqueada la descarga directa. Este problema ha sido solucionado en la versi\u00f3n 2.62.0."
    }
  ],
  "id": "CVE-2026-32761",
  "lastModified": "2026-03-23T16:56:04.520",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T00:16:17.617",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/filebrowser/filebrowser/commit/09a26166b4f79446e7174c017380f6db45444e32"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-68j5-4m99-w9w9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        },
        {
          "lang": "en",
          "value": "CWE-639"
        },
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-32761 (GCVE-0-2026-32761)

GHSA-68J5-4M99-W9W9

Summary

Details

PoC

Impact

FKIE_CVE-2026-32761

Tags

Sightings

Nomenclature