GHSA-68J5-4M99-W9W9

Vulnerability from github – Published: 2026-03-18 12:59 – Updated: 2026-03-20 21:16
VLAI?
Summary
File Browser has an Authorization Policy Bypass in Public Share Download Flow
Details

Summary

A permission enforcement flaw allows users without download privileges (download=false) to still expose and retrieve file content via public share links when they retain share privileges (share=true). This bypasses intended access control policy and enables unauthorized data exfiltration to unauthenticated users. Where download restrictions are used for data-loss prevention or role separation.

Details

The backend applies inconsistent authorization checks across download paths:

As a result, a user who is blocked from direct downloads can create a share and obtain the same file via /api/public/dl/<hash>.

PoC

  1. Create a non-admin user with:
  2. perm.share = true

  3. perm.download = false

  4. Login as that user and upload a PDF file:

  5. POST /api/resources/nodl_secret_<rand>.pdf with Content-Type: application/pdf

  6. Verify direct raw download is denied:

  7. GET /api/raw/nodl_secret_<rand>.pdf

  8. Expected and observed: 202 Accepted (blocked)

  9. Create share for same file:

  10. POST /api/share/nodl_secret_<rand>.pdf

  11. Observed: 200, response includes hash (example: qxfK3JMG)

  12. Download publicly without authentication:

  13. GET /api/public/dl/<hash>
  14. Observed (vulnerable): 200, Content-Type: application/pdf, and PDF bytes are returned

Live evidence captured (March 1, 2026): - create user: 201 - create file: 200 - direct /api/raw: 202 Accepted - create share: 200 - public download /api/public/dl/mxK-ppZb: 200 - public download content-type: application/pdf - public download body length: 327 bytes

Impact

This is an access control / authorization policy bypass vulnerability.

  • Who can exploit: Any authenticated user granted share=true but denied download.
  • Who is impacted: Operators and organizations relying on download restrictions to prevent data export.
  • What can happen: Restricted users can still distribute and retrieve files publicly, including unauthenticated access through share URLs.
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "https://github.com/filebrowser/filebrowser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.61.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32761"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T12:59:12Z",
    "nvd_published_at": "2026-03-20T00:16:17Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA permission enforcement flaw allows users without download privileges (`download=false`) to still expose and retrieve file content via public share links when they retain share privileges (`share=true`). This bypasses intended access control policy and enables unauthorized data exfiltration to unauthenticated users. Where download restrictions are used for data-loss prevention or role separation.\n\n### Details\nThe backend applies inconsistent authorization checks across download paths:\n\n- Direct raw download correctly enforces `Perm.Download`:\n  - [[raw.go](https://github.com/filebrowser/filebrowser/blob/master/http/raw.go#82)](filebrowser/http/raw.go:82)\n- Share creation only enforces `Perm.Share`:\n  - [[share.go](https://github.com/filebrowser/filebrowser/blob/master/http/share.go#21)](filebrowser/http/share.go:21)\n- Public share/download handlers serve shared content without verifying owner `Perm.Download`:\n  - [public.go](https://github.com/filebrowser/filebrowser/blob/master/http/public.go#18)(filebrowser/http/public.go:18)\n  - [public.go](https://github.com/filebrowser/filebrowser/blob/master/http/public.go#116)(filebrowser/http/public.go:116)\n\nAs a result, a user who is blocked from direct downloads can create a share and obtain the same file via `/api/public/dl/\u003chash\u003e`.\n\n### PoC\n\n1. Create a non-admin user with:\n- `perm.share = true`\n- `perm.download = false`\n\n2. Login as that user and upload a **PDF** file:\n- `POST /api/resources/nodl_secret_\u003crand\u003e.pdf` with `Content-Type: application/pdf`\n\n3. Verify direct raw download is denied:\n- `GET /api/raw/nodl_secret_\u003crand\u003e.pdf`\n- Expected and observed: `202 Accepted` (blocked)\n\n4. Create share for same file:\n- `POST /api/share/nodl_secret_\u003crand\u003e.pdf`\n- Observed: `200`, response includes `hash` (example: `qxfK3JMG`)\n\n5. Download publicly without authentication:\n- `GET /api/public/dl/\u003chash\u003e`\n- Observed (vulnerable): `200`, `Content-Type: application/pdf`, and PDF bytes are returned\n\nLive evidence captured (March 1, 2026):\n- `create user`: `201`\n- `create file`: `200`\n- `direct /api/raw`: `202 Accepted`\n- `create share`: `200`\n- `public download /api/public/dl/mxK-ppZb`: `200`\n- `public download content-type`: `application/pdf`\n- `public download body length`: `327` bytes\n\n### Impact\nThis is an **access control / authorization policy bypass** vulnerability.\n\n- **Who can exploit:** Any authenticated user granted `share=true` but denied `download`.\n- **Who is impacted:** Operators and organizations relying on download restrictions to prevent data export.\n- **What can happen:** Restricted users can still distribute and retrieve files publicly, including unauthenticated access through share URLs.",
  "id": "GHSA-68j5-4m99-w9w9",
  "modified": "2026-03-20T21:16:13Z",
  "published": "2026-03-18T12:59:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-68j5-4m99-w9w9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32761"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/commit/09a26166b4f79446e7174c017380f6db45444e32"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/filebrowser/filebrowser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "File Browser has an Authorization Policy Bypass in Public Share Download Flow"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.