Skip to main content

FileBrowser Quantum CVE-2026-46410

HIGH
Information Exposure (CWE-200)
2026-05-19 https://github.com/gtsteffaniak/filebrowser GHSA-3jmg-p96m-m328
Share

Lifecycle Timeline

2
Source Code Evidence Fetched
May 19, 2026 - 20:30 vuln.today
Analysis Generated
May 19, 2026 - 20:30 vuln.today

DescriptionCVE.org

Impact

Some sensitive info -- such as source and path can get exposed.

Patches

Update to the latest version

Workarounds

no

AnalysisAI

Information disclosure in FileBrowser Quantum (gtsteffaniak/filebrowser) allows unauthenticated users to view sensitive share information including source paths through the anonymous user account. The flaw stems from default user settings being applied to the anonymous user, exposing source and path data that should remain restricted. No public exploit identified at time of analysis, but a patched version (v1.4.1) has been released by the upstream maintainer.

Technical ContextAI

FileBrowser Quantum is a Go-based web file browser application (github.com/gtsteffaniak/filebrowser) that supports share links and an anonymous user role for public access scenarios. The root cause maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): the ApplyUserDefaults function in backend/common/settings/settings.go applied default scopes and settings to the anonymous user account, causing it to inherit source/path information meant only for authenticated users. The fix introduces an early return when the username is 'anonymous', preventing default scope inheritance for the public-facing role.

RemediationAI

Vendor-released patch: upgrade to FileBrowser Quantum v1.4.1 or the pseudo-versioned Go module release 1.2.1-stable.0.20260514154726-1802e1281135 (backend module 0.0.0-20260514154726-1802e1281135), which contains commit 1802e1281135cba83eb4acd86b58293fe121e2a5 hardening the anonymous user defaults. The vendor explicitly states no workarounds exist, so patching is the only supported fix; as a compensating control until upgrade, operators can disable anonymous/public share access entirely or place the application behind an authenticating reverse proxy that blocks unauthenticated requests to share endpoints, at the cost of breaking public link sharing functionality. Refer to the advisory at https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-3jmg-p96m-m328 and the patch commit at https://github.com/gtsteffaniak/filebrowser/commit/1802e1281135cba83eb4acd86b58293fe121e2a5.

Share

CVE-2026-46410 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy