Skip to main content

File Browser CVE-2026-54097

| EUVDEUVD-2026-39505 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-12 https://github.com/filebrowser/filebrowser GHSA-5ww9-jg6q-38r7
7.2
CVSS 4.0 · Vendor: https://github.com/filebrowser/filebrowser
Share

Severity by source

Vendor (https://github.com/filebrowser/filebrowser) PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable authenticated low-priv user (PR:L) deletes arbitrary users' share data with no UI; no confidentiality impact (C:N), high integrity loss and feature-level DoS (I:H/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/filebrowser/filebrowser).

CVSS VectorVendor: https://github.com/filebrowser/filebrowser

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 25, 2026 - 19:34 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 25, 2026 - 19:33 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 25, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Jun 25, 2026 - 19:22 NVD
7.2 (HIGH)
Source Code Evidence Fetched
Jun 12, 2026 - 21:52 vuln.today
Analysis Generated
Jun 12, 2026 - 21:52 vuln.today

DescriptionCVE.org

Summary

A low-privileged authenticated user of filebrowser (with create + delete permissions in their own isolated scope) can silently destroy share-link records belonging to any other user - including the administrator - by performing a legitimate DELETE on a file in their own directory whose logical path happens to be a byte-prefix of another user's stored share.Link.Path. The file contents of the victim are not exposed, but the victim's share links are irrevocably wiped.

Details

resourceDeleteHandler in http/resource.go cleans up any share records that reference a deleted file by calling:

go
// http/resource.go
err = d.store.Share.DeleteWithPathPrefix(file.Path)

file.Path here is the *logical* path from the URL of the deleting user's request (e.g. /a), not the absolute filesystem path. It is passed as-is to the bolt backend:

go
// storage/bolt/share.go
func (s shareBackend) DeleteWithPathPrefix(pathPrefix string) error {
    var links []share.Link
    if err := s.db.Prefix("Path", pathPrefix, &links); err != nil {
        return err
    }
    for _, link := range links {
        err = errors.Join(err, s.db.DeleteStruct(&share.Link{Hash: link.Hash}))
    }
    return err
}

Why the design contradicts this behavior. share.Link carries a UserID field and the application elsewhere treats shares as per-user owned resources. shareDeleteHandler explicitly enforces link.UserID != d.user.ID && !d.user.Perm.Admin → 403. The file-deletion side-effect path is the only location that bypasses this rule.

Impact

  • Integrity: unauthorized deletion of share-link metadata belonging to arbitrary users, including administrators.
  • Availability: effective denial-of-service of the share-link feature - a cooperating (or malicious) low-priv user can wipe the bulk of existing share links by iterating a short set of one- and two-character prefixes.

AnalysisAI

Cross-user share-link deletion in File Browser (filebrowser/filebrowser v2 ≤ 2.63.5) lets a low-privileged authenticated user with create+delete permissions in their own isolated scope irrevocably wipe share-link records owned by any other account, including the administrator. Deleting a file whose logical path is a byte-prefix of another user's stored share.Link.Path triggers an unbounded prefix match that bypasses the per-user ownership check enforced everywhere else. There is no public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.02%, 5th percentile), but a vendor patch (v2.63.6) is available.

Technical ContextAI

File Browser is a self-hosted Go web application for browsing and managing files, using a BoltDB (storm) backend for metadata such as share links. The flaw is CWE-639 (Authorization Bypass Through User-Controlled Key / IDOR): resourceDeleteHandler in http/resource.go cleans up share records for a deleted file by calling store.Share.DeleteWithPathPrefix(file.Path), passing the logical URL path of the requesting user. The bolt shareBackend.DeleteWithPathPrefix runs a storm Prefix('Path', pathPrefix) query and deletes every matching share.Link regardless of its UserID. Because matching is an unbounded byte-prefix (e.g. '/a' matches '/a', '/a/child', and unrelated '/abc' across all users) and never consults link.UserID, it contradicts shareDeleteHandler, which explicitly returns 403 when link.UserID != d.user.ID && !d.user.Perm.Admin. CPE coverage is pkg:go/github.com_filebrowser_filebrowser and the v2 module.

RemediationAI

Vendor-released patch: 2.63.6 - upgrade the v2 module to File Browser 2.63.6 or later, which adds a userID parameter to DeleteWithPathPrefix and restricts deletion to links owned by the requesting user plus a precise path-boundary check (link.Path == prefix or HasPrefix(link.Path, prefix+'/')), eliminating the cross-user and sibling-prefix over-match (see commit https://github.com/filebrowser/filebrowser/commit/0231b7ebdfbe77a6c54027d30c4856c3fd81ee4d and advisory https://github.com/filebrowser/filebrowser/security/advisories/GHSA-5ww9-jg6q-38r7). Legacy 1.x has no identified fixed release, so migrate to patched v2. If immediate patching is impossible, the most effective compensating control is to avoid granting delete permission to untrusted accounts on shared/multi-tenant instances and to limit accounts to single-tenant or trusted users (trade-off: removes self-service file deletion for those users); operators can also periodically back up the Bolt database so wiped share links can be restored (trade-off: backups do not prevent the deletion, only enable recovery).

Share

CVE-2026-54097 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy