Which versions of Filebrowser are affected by EUVD-2026-19776?

File Browser versions prior to 2.63.1 contain an authorization bypass that allows unauthenticated users to retain access to shared files even after administrators revoke sharing permissions, creating…. A patch is available.

How to fix or mitigate EUVD-2026-19776?

Within 24 hours: Identify all File Browser instances in your environment and document current versions; disable or audit all active share links pending security review. Within 7 days: Upgrade all File Browser installations to version 2.63.1 or later and revoke/recreate all share links created under previous versions. Within 30 days: Implement access logging and monitoring for public share endpoints; conduct a data exposure assessment to identify any files that may have been accessed via revoked share links.

Filebrowser EUVD-2026-19776

Q: What is the CVSS score of EUVD-2026-19776?

EUVD-2026-19776 has a CVSS 4.0 base score of 8.2 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

| CVE-2026-35604 HIGH

Incorrect Authorization (CWE-863)

2026-04-07 GitHub_M

GHSA-v9w4-gm2x-6rvf

Authentication Bypass Filebrowser

8.2

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.2 HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 16, 2026 - 18:37 vuln.today

cvss_changed

Patch released

Apr 08, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 07, 2026 - 17:00 euvd

EUVD-2026-19776

Analysis Generated

Apr 07, 2026 - 17:00 vuln.today

CVE Published

Apr 07, 2026 - 16:22 nvd

HIGH 8.2

DescriptionGitHub Advisory

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, when an admin revokes a user's Share and Download permissions, existing share links created by that user remain fully accessible to unauthenticated users. The public share download handler does not re-check the share owner's current permissions. This vulnerability is fixed in 2.63.1.

AnalysisAI

Authorization bypass in File Browser allows unauthenticated access to shared files after permissions revoked. When administrators revoke a user's Share and Download permissions in File Browser (versions prior to 2.63.1), previously created share links remain accessible to unauthenticated users due to missing permission re-validation in the public share handler. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Admin revokes user share permissions

Exploit

Attacker accesses pre-existing share link

Execution

Download handler skips permission re-check

Impact

Unauthorized file access granted

Access

Admin revokes user share permissions

Exploit

Attacker accesses pre-existing share link

Execution

Download handler skips permission re-check

Impact

Unauthorized file access granted

Vulnerability AssessmentAI

Exploitation	File Browser versions prior to 2.63.1. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Real-world risk is moderate despite the 8.2 CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An administrator revokes Share and Download permissions for a departing contractor who previously created public share links to sensitive project documentation stored in File Browser. Despite the permission revocation appearing successful in the admin interface, the contractor retains the share URLs in their browser history or documentation. …
Remediation	Upgrade File Browser to version 2.63.1 or later, which contains the authorization fix addressing improper permission validation in the public share handler. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all File Browser instances in your environment and document current versions; disable or audit all active share links pending security review. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48777 CRITICAL Act Now

9.3 Jun 16

Path traversal in FileBrowser Quantum (gtsteffaniak fork) versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta all

EUVD-2026-19776 vulnerability details – vuln.today

Back