FileBrowser Quantum CVE-2026-46410
HIGHLifecycle Timeline
2DescriptionCVE.org
Impact
Some sensitive info -- such as source and path can get exposed.
Patches
Update to the latest version
Workarounds
no
AnalysisAI
Information disclosure in FileBrowser Quantum (gtsteffaniak/filebrowser) allows unauthenticated users to view sensitive share information including source paths through the anonymous user account. The flaw stems from default user settings being applied to the anonymous user, exposing source and path data that should remain restricted. No public exploit identified at time of analysis, but a patched version (v1.4.1) has been released by the upstream maintainer.
Technical ContextAI
FileBrowser Quantum is a Go-based web file browser application (github.com/gtsteffaniak/filebrowser) that supports share links and an anonymous user role for public access scenarios. The root cause maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): the ApplyUserDefaults function in backend/common/settings/settings.go applied default scopes and settings to the anonymous user account, causing it to inherit source/path information meant only for authenticated users. The fix introduces an early return when the username is 'anonymous', preventing default scope inheritance for the public-facing role.
RemediationAI
Vendor-released patch: upgrade to FileBrowser Quantum v1.4.1 or the pseudo-versioned Go module release 1.2.1-stable.0.20260514154726-1802e1281135 (backend module 0.0.0-20260514154726-1802e1281135), which contains commit 1802e1281135cba83eb4acd86b58293fe121e2a5 hardening the anonymous user defaults. The vendor explicitly states no workarounds exist, so patching is the only supported fix; as a compensating control until upgrade, operators can disable anonymous/public share access entirely or place the application behind an authenticating reverse proxy that blocks unauthenticated requests to share endpoints, at the cost of breaking public link sharing functionality. Refer to the advisory at https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-3jmg-p96m-m328 and the patch commit at https://github.com/gtsteffaniak/filebrowser/commit/1802e1281135cba83eb4acd86b58293fe121e2a5.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-3jmg-p96m-m328