TROYANOSYVIRUS
Voltar para CVEs

CVE-2026-32761

MEDIUM
6.5

Descricao

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and below contain a permission enforcement bypass which allows users who are denied download privileges (perm.download = false) but granted share privileges (perm.share = true) to exfiltrate file content by creating public share links. While the direct raw download endpoint (/api/raw/) correctly enforces the download permission, the share creation endpoint only checks Perm.Share, and the public download handler (/api/public/dl/<hash>) serves file content without verifying that the original file owner has download permission. This means any authenticated user with share access can circumvent download restrictions by sharing a file and then retrieving it via the unauthenticated public download URL. The vulnerability undermines data-loss prevention and role-separation policies, as restricted users can publicly distribute files they are explicitly blocked from downloading directly. This issue has been fixed in version 2.62.0.

Detalhes CVE

Pontuacao CVSS v3.16.5
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosLOW
Interacao do usuarioNONE
Publicado3/20/2026
Ultima modificacao3/23/2026
Fontenvd
Avistamentos honeypot0

Produtos afetados

filebrowser:filebrowser

Fraquezas (CWE)

CWE-284CWE-639CWE-863

Referencias

https://github.com/filebrowser/filebrowser/commit/09a26166b4f79446e7174c017380f6db45444e32(security-advisories@github.com)
https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0(security-advisories@github.com)
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-68j5-4m99-w9w9(security-advisories@github.com)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.