Skip to main content

Filebrowser CVE-2026-35606

| EUVD-2026-19780 MEDIUM
Missing Authorization (CWE-862)
2026-04-07 GitHub_M GHSA-67cg-cpj7-qgc9
Authentication Bypass Filebrowser
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 08, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 07, 2026 - 17:00 euvd
EUVD-2026-19780
Analysis Generated
Apr 07, 2026 - 17:00 vuln.today
CVE Published
Apr 07, 2026 - 16:29 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the resourceGetHandler in http/resource.go returns full text file content without checking the Perm.Download permission flag. All three other content-serving endpoints (/api/raw, /api/preview, /api/subtitle) correctly verify this permission before serving content. A user with download: false can read any text file within their scope through two bypass paths. This vulnerability is fixed in 2.63.1.

AnalysisAI

File Browser versions prior to 2.63.1 allow authenticated users with download permission disabled to bypass access controls and read arbitrary text file content through the resourceGetHandler endpoint in http/resource.go, which fails to validate the Perm.Download permission flag unlike three other content-serving endpoints that correctly enforce this check. This authentication bypass affects any File Browser deployment where users are granted access but restricted from downloading files, and is fixed in version 2.63.1.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment This vulnerability presents moderate real-world risk despite its low CVSS score of 5.3. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user with legitimate access to File Browser but with their download permission flag explicitly disabled by an administrator (download: false) can craft requests to the resourceGetHandler endpoint to retrieve and read the full text content of files within their authorized directory scope. For example, a contractor granted read-only access to a project directory for reference purposes, but restricted from downloading files to maintain compliance logging, could bypass this restriction by directly requesting file content through the vulnerable endpoint. …
Remediation Vendor-released patch: File Browser 2.63.1. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48777 CRITICAL
9.3 Jun 16

Path traversal in FileBrowser Quantum (gtsteffaniak fork) versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta all

Share

CVE-2026-35606 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy