CVE-2026-32761
MEDIUM
GHSA-68j5-4m99-w9w9
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
### Summary A permission enforcement flaw allows users without download privileges (`download=false`) to still expose and retrieve file content via public share links when they retain share privileges (`share=true`). This bypasses intended access control policy and enables unauthorized data exfiltration to unauthenticated users. Where download restrictions are used for data-loss prevention or role separation. ### Details The backend applies inconsistent authorization checks across download paths: - Direct raw download correctly enforces `Perm.Download`: - [[raw.go](https://github.com/filebrowser/filebrowser/blob/master/http/raw.go#82)](filebrowser/http/raw.go:82) - Share creation only enforces `Perm.Share`: - [[share.go](https://github.com/filebrowser/filebrowser/blob/master/http/share.go#21)](filebrowser/http/share.go:21) - Public share/download handlers serve shared content without verifying owner `Perm.Download`: - [public.go](https://github.com/filebrowser/filebrowser/blob/master/http/public.go#18)(filebrowser/http/public.go:18) - [public.go](https://github.com/filebrowser/filebrowser/blob/master/http/public.go#116)(filebrowser/http/public.go:116) As a result, a user who is blocked from direct downloads can create a share and obtain the same file via `/api/public/dl/<hash>`. ### PoC 1. Create a non-admin user with: - `perm.share = true` - `perm.download = false` 2. Login as that user and upload a **PDF** file: - `POST /api/resources/nodl_secret_<rand>.pdf` with `Content-Type: application/pdf` 3. Verify direct raw download is denied: - `GET /api/raw/nodl_secret_<rand>.pdf` - Expected and observed: `202 Accepted` (blocked) 4. Create share for same file: - `POST /api/share/nodl_secret_<rand>.pdf` - Observed: `200`, response includes `hash` (example: `qxfK3JMG`) 5. Download publicly without authentication: - `GET /api/public/dl/<hash>` - Observed (vulnerable): `200`, `Content-Type: application/pdf`, and PDF bytes are returned Live evidence captured (March 1, 2026): - `create user`: `201` - `create file`: `200` - `direct /api/raw`: `202 Accepted` - `create share`: `200` - `public download /api/public/dl/mxK-ppZb`: `200` - `public download content-type`: `application/pdf` - `public download body length`: `327` bytes ### Impact This is an **access control / authorization policy bypass** vulnerability. - **Who can exploit:** Any authenticated user granted `share=true` but denied `download`. - **Who is impacted:** Operators and organizations relying on download restrictions to prevent data export. - **What can happen:** Restricted users can still distribute and retrieve files publicly, including unauthenticated access through share URLs.
Analysis
FileBrowser contains an authorization bypass vulnerability where users with share privileges but without download privileges can still expose and retrieve file content via public share links, enabling unauthorized data exfiltration to unauthenticated users. The vulnerability affects FileBrowser (CPE: pkg:go/https:__github.com_filebrowser_filebrowser) and has been confirmed with a working proof-of-concept demonstrating that restricted users can create shares and access files publicly despite download restrictions. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today