Skip to content

File Browser has an Authorization Policy Bypass in Public Share Download Flow

Moderate severity GitHub Reviewed Published Mar 17, 2026 in filebrowser/filebrowser • Updated Mar 18, 2026

Package

gomod https://github.com/filebrowser/filebrowser (Go)

Affected versions

<= 2.61.0

Patched versions

None

Description

Summary

A permission enforcement flaw allows users without download privileges (download=false) to still expose and retrieve file content via public share links when they retain share privileges (share=true). This bypasses intended access control policy and enables unauthorized data exfiltration to unauthenticated users. Where download restrictions are used for data-loss prevention or role separation.

Details

The backend applies inconsistent authorization checks across download paths:

  • Direct raw download correctly enforces Perm.Download:
    • [raw.go](filebrowser/http/raw.go:82)
  • Share creation only enforces Perm.Share:
    • [share.go](filebrowser/http/share.go:21)
  • Public share/download handlers serve shared content without verifying owner Perm.Download:

As a result, a user who is blocked from direct downloads can create a share and obtain the same file via /api/public/dl/<hash>.

PoC

  1. Create a non-admin user with:
  • perm.share = true
  • perm.download = false
  1. Login as that user and upload a PDF file:
  • POST /api/resources/nodl_secret_<rand>.pdf with Content-Type: application/pdf
  1. Verify direct raw download is denied:
  • GET /api/raw/nodl_secret_<rand>.pdf
  • Expected and observed: 202 Accepted (blocked)
  1. Create share for same file:
  • POST /api/share/nodl_secret_<rand>.pdf
  • Observed: 200, response includes hash (example: qxfK3JMG)
  1. Download publicly without authentication:
  • GET /api/public/dl/<hash>
  • Observed (vulnerable): 200, Content-Type: application/pdf, and PDF bytes are returned

Live evidence captured (March 1, 2026):

  • create user: 201
  • create file: 200
  • direct /api/raw: 202 Accepted
  • create share: 200
  • public download /api/public/dl/mxK-ppZb: 200
  • public download content-type: application/pdf
  • public download body length: 327 bytes

Impact

This is an access control / authorization policy bypass vulnerability.

  • Who can exploit: Any authenticated user granted share=true but denied download.
  • Who is impacted: Operators and organizations relying on download restrictions to prevent data export.
  • What can happen: Restricted users can still distribute and retrieve files publicly, including unauthenticated access through share URLs.

References

@hacdias hacdias published to filebrowser/filebrowser Mar 17, 2026
Published to the GitHub Advisory Database Mar 18, 2026
Reviewed Mar 18, 2026
Last updated Mar 18, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS score

Weaknesses

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Learn more on MITRE.

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. Learn more on MITRE.

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. Learn more on MITRE.

CVE ID

CVE-2026-32761

GHSA ID

GHSA-68j5-4m99-w9w9

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.