logo

Database

Authentication mechanism absence or evasion In github.com/filebrowser/filebrowser/v2

Description

File Browser share links remain accessible after Share/Download permissions are revoked When an admin revokes a user's Share and Download permissions, existing share links created by that user remain fully accessible to unauthenticated users. The public share download handler does not re-check the share owner's current permissions. Verified with a running PoC against v2.62.2 (commit 860c19d).

Details

Share creation (http/share.go:21-29) correctly checks permissions:

func withPermShare(fn handleFunc) handleFunc {
    return withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
        if !d.user.Perm.Share || !d.user.Perm.Download {
            return http.StatusForbidden, nil
        }
        return fn(w, r, d)
    })
}...

But share access (http/public.go:18-87, withHashFile) does not:

var withHashFile = func(fn handleFunc) handleFunc {
    return func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
        link, err := d.store.Share.GetByHash(id)   // line 21: checks share exists
        authenticateShareRequest(r, link)            // line 26: checks password
        user, err := d.store.Users.Get(...)          // line 31: checks user exists
        d.user = user                                // line 36: sets user
        file, err := files.NewFileInfo(...)           // line 38: gets file
        // MISSING: no check for d.user.Perm.Share or d.user.Perm.Download...

Proof of Concept (runtime-verified)

# Step 1: Login as admin
TOKEN=$(curl -s -X POST http://localhost:18080/api/login \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"<admin-password>"}')

# Step 2: Create testuser with Share+Download permissions
curl -X POST http://localhost:18080/api/users \
  -H "X-Auth: $TOKEN" -H "Content-Type: application/json" \...

Impact

When an admin revokes a user's Share or Download permissions:

    New share creation is correctly blocked (403)

    But all existing shares created by that user remain fully accessible to unauthenticated users

    The admin has a false sense of security: they believe revoking Share permission stops all sharing

This is the same vulnerability class as GHSA-68j5-4m99-w9w9 ("Authorization Policy Bypass in Public Share Download Flow").

Suggested Fix

Add permission re-validation in withHashFile:

user, err := d.store.Users.Get(d.server.Root, link.UserID)
if err != nil {
    return errToStatus(err), err
}

// Verify the share owner still has Share and Download permissions
if !user.Perm.Share || !user.Perm.Download {
    return http.StatusForbidden, nil...

Update: Fix submitted as PR #5888.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-356042. NVD-2026-356043. OSV-2026-356044. GHSA-v9w4-gm2x-6rvf5. GCVE-2026-35604

References

1. https://github.com/filebrowser/filebrowser/security/advisories/GHSA-v9w4-gm2x-6rvf2. https://github.com/filebrowser/filebrowser/pull/5888

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.