CVE-2026-27611

CVSS v4.0

7.1

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions FileBrowser Quantum versions prior to 1.1.3-stable FileBrowser Quantum versions prior to 1.2.6-beta

Description FileBrowser Quantum is a self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, a flaw existed where password-protected file shares could be bypassed, allowing unauthorized download access. The issue stemmed from the API returning a direct download link within the share details, accessible with only the share link, circumventing the password requirement. The vulnerable API endpoint provides access to the file without authentication. The share link is the vulnerable parameter.

Recommendations Update to FileBrowser Quantum version 1.1.3-stable or later. Update to FileBrowser Quantum version 1.2.6-beta or later.

Exploit

Fix

Information Disclosure

Improper Authentication

Authentication Bypass Using an Alternate Path or Channel

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-602CWE-287CWE-288

Related Identifiers

CVE-2026-27611

GHSA-8VRH-3PM2-V4V6

GO-2026-4546

SUSE-SU-2026:0757-1

Affected Products

Filebrowser Quantum

CVE-2026-27611

Weakness Enumeration

Related Identifiers

Affected Products

References · 122