CVE-2026-32761
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
A permission enforcement flaw allows users without download privileges (download=false) to still expose and retrieve file content via public share links when they retain share privileges (share=true). This bypasses intended access control policy and enables unauthorized data exfiltration to unauthenticated users. Where download restrictions are used for data-loss prevention or role separation.
Details
The backend applies inconsistent authorization checks across download paths:
- Direct raw download correctly enforces
Perm.Download: - [raw.go](filebrowser/http/raw.go:82)
- Share creation only enforces
Perm.Share: - [share.go](filebrowser/http/share.go:21)
- Public share/download handlers serve shared content without verifying owner
Perm.Download: - public.go(filebrowser/http/public.go:18)
- public.go(filebrowser/http/public.go:116)
As a result, a user who is blocked from direct downloads can create a share and obtain the same file via /api/public/dl/<hash>.
PoC
- Create a non-admin user with:
perm.share = trueperm.download = false
- Login as that user and upload a PDF file:
POST /api/resources/nodl_secret_<rand>.pdfwithContent-Type: application/pdf
- Verify direct raw download is denied:
GET /api/raw/nodl_secret_<rand>.pdf- Expected and observed:
202 Accepted(blocked)
- Create share for same file:
POST /api/share/nodl_secret_<rand>.pdf- Observed:
200, response includeshash(example:qxfK3JMG)
- Download publicly without authentication:
GET /api/public/dl/<hash>- Observed (vulnerable):
200,Content-Type: application/pdf, and PDF bytes are returned
Live evidence captured (March 1, 2026):
create user:201create file:200direct /api/raw:202 Acceptedcreate share:200public download /api/public/dl/mxK-ppZb:200public download content-type:application/pdfpublic download body length:327bytes
Impact
This is an access control / authorization policy bypass vulnerability.
- Who can exploit: Any authenticated user granted
share=truebut denieddownload. - Who is impacted: Operators and organizations relying on download restrictions to prevent data export.
- What can happen: Restricted users can still distribute and retrieve files publicly, including unauthenticated access through share URLs.
AnalysisAI
FileBrowser contains an authorization bypass vulnerability where users with share privileges but without download privileges can still expose and retrieve file content via public share links, enabling unauthorized data exfiltration to unauthenticated users. The vulnerability affects FileBrowser (CPE: pkg:go/https:__github.com_filebrowser_filebrowser) and has been confirmed with a working proof-of-concept demonstrating that restricted users can create shares and access files publicly despite download restrictions. With a CVSS score of 6.5 and an attack vector requiring only low privileges and no user interaction, this represents a significant access control bypass in environments relying on download restrictions for data loss prevention.
Technical ContextAI
FileBrowser is a Go-based web file browser and manager (https://github.com/filebrowser/filebrowser) that implements role-based access control through permission flags including Perm.Share and Perm.Download. The vulnerability stems from inconsistent authorization enforcement across three HTTP handlers: the raw.go handler correctly enforces Perm.Download for direct downloads (returning 202 Accepted when denied), the share.go handler only checks Perm.Share when creating shares (line 21), and critically, the public.go handler (lines 18 and 116) serves publicly shared content without re-verifying the original file owner's Perm.Download permission. This represents a classic CWE-284 (Improper Access Control) where authorization checks are applied inconsistently across different code paths that access the same protected resource. The root cause is that public share handlers treat the share hash as sufficient authorization without maintaining the access control policy of the original file owner.
RemediationAI
Upgrade FileBrowser to the patched version released by the maintainers in response to advisory GHSA-68j5-4m99-w9w9 (available at https://github.com/filebrowser/filebrowser/security/advisories/GHSA-68j5-4m99-w9w9). The patch ensures that public share handlers re-validate the file owner's Perm.Download permission before serving content, closing the authorization bypass. As an interim workaround for organizations unable to upgrade immediately, implement network-level access controls to restrict the /api/public/dl/ endpoint to trusted IP ranges, enforce authentication on public share endpoints via reverse proxy, or temporarily disable share functionality (Perm.Share) for users who should not have download access. Additionally, audit existing shares created by users with download=false to identify any potential unauthorized data exposure and revoke sensitive shares until patching is completed.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-68j5-4m99-w9w9