Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable authenticated low-priv user (PR:L) deletes arbitrary users' share data with no UI; no confidentiality impact (C:N), high integrity loss and feature-level DoS (I:H/A:H).
Primary rating from Vendor (https://github.com/filebrowser/filebrowser).
CVSS VectorVendor: https://github.com/filebrowser/filebrowser
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Summary
A low-privileged authenticated user of filebrowser (with create + delete permissions in their own isolated scope) can silently destroy share-link records belonging to any other user - including the administrator - by performing a legitimate DELETE on a file in their own directory whose logical path happens to be a byte-prefix of another user's stored share.Link.Path. The file contents of the victim are not exposed, but the victim's share links are irrevocably wiped.
Details
resourceDeleteHandler in http/resource.go cleans up any share records that reference a deleted file by calling:
// http/resource.go
err = d.store.Share.DeleteWithPathPrefix(file.Path)file.Path here is the *logical* path from the URL of the deleting user's request (e.g. /a), not the absolute filesystem path. It is passed as-is to the bolt backend:
// storage/bolt/share.go
func (s shareBackend) DeleteWithPathPrefix(pathPrefix string) error {
var links []share.Link
if err := s.db.Prefix("Path", pathPrefix, &links); err != nil {
return err
}
for _, link := range links {
err = errors.Join(err, s.db.DeleteStruct(&share.Link{Hash: link.Hash}))
}
return err
}Why the design contradicts this behavior. share.Link carries a UserID field and the application elsewhere treats shares as per-user owned resources. shareDeleteHandler explicitly enforces link.UserID != d.user.ID && !d.user.Perm.Admin → 403. The file-deletion side-effect path is the only location that bypasses this rule.
Impact
- Integrity: unauthorized deletion of share-link metadata belonging to arbitrary users, including administrators.
- Availability: effective denial-of-service of the share-link feature - a cooperating (or malicious) low-priv user can wipe the bulk of existing share links by iterating a short set of one- and two-character prefixes.
AnalysisAI
Cross-user share-link deletion in File Browser (filebrowser/filebrowser v2 ≤ 2.63.5) lets a low-privileged authenticated user with create+delete permissions in their own isolated scope irrevocably wipe share-link records owned by any other account, including the administrator. Deleting a file whose logical path is a byte-prefix of another user's stored share.Link.Path triggers an unbounded prefix match that bypasses the per-user ownership check enforced everywhere else. There is no public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.02%, 5th percentile), but a vendor patch (v2.63.6) is available.
Technical ContextAI
File Browser is a self-hosted Go web application for browsing and managing files, using a BoltDB (storm) backend for metadata such as share links. The flaw is CWE-639 (Authorization Bypass Through User-Controlled Key / IDOR): resourceDeleteHandler in http/resource.go cleans up share records for a deleted file by calling store.Share.DeleteWithPathPrefix(file.Path), passing the logical URL path of the requesting user. The bolt shareBackend.DeleteWithPathPrefix runs a storm Prefix('Path', pathPrefix) query and deletes every matching share.Link regardless of its UserID. Because matching is an unbounded byte-prefix (e.g. '/a' matches '/a', '/a/child', and unrelated '/abc' across all users) and never consults link.UserID, it contradicts shareDeleteHandler, which explicitly returns 403 when link.UserID != d.user.ID && !d.user.Perm.Admin. CPE coverage is pkg:go/github.com_filebrowser_filebrowser and the v2 module.
RemediationAI
Vendor-released patch: 2.63.6 - upgrade the v2 module to File Browser 2.63.6 or later, which adds a userID parameter to DeleteWithPathPrefix and restricts deletion to links owned by the requesting user plus a precise path-boundary check (link.Path == prefix or HasPrefix(link.Path, prefix+'/')), eliminating the cross-user and sibling-prefix over-match (see commit https://github.com/filebrowser/filebrowser/commit/0231b7ebdfbe77a6c54027d30c4856c3fd81ee4d and advisory https://github.com/filebrowser/filebrowser/security/advisories/GHSA-5ww9-jg6q-38r7). Legacy 1.x has no identified fixed release, so migrate to patched v2. If immediate patching is impossible, the most effective compensating control is to avoid granting delete permission to untrusted accounts on shared/multi-tenant instances and to limit accounts to single-tenant or trusted users (trade-off: removes self-service file deletion for those users); operators can also periodically back up the Bolt database so wiped share links can be restored (trade-off: backups do not prevent the deletion, only enable recovery).
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39505
GHSA-5ww9-jg6q-38r7