CVE-2026-30933

Name of the Vulnerable Software and Affected Versions FileBrowser versions prior to 1.3.1-beta and 1.2.2-stable

Description An incomplete remediation for a previous issue allows disclosure of tokenized download URLs via the /public/api/share/info endpoint for password-protected shares. The issue arises because tokenized download URLs are written into the persistent share model and the public endpoint does not clear the DownloadURL before returning the share information. This allows an unauthenticated attacker to retrieve password-protected shared files without the password, resulting in authentication bypass and unauthorized file access. The vulnerable endpoint is /public/api/share/info, which returns share information including the DownloadURL. The DownloadURL parameter contains a token that grants access to the shared file. The vulnerable code is located in backend/http/share.go (specifically the convertToFrontendShareResponse function) and backend/share.go (specifically the shareInfoHandler method).

Recommendations Versions prior to 1.3.1-beta must be updated. Versions prior to 1.2.2-stable must be updated. Sanitize the DownloadURL in public share info responses by setting commonShare.DownloadURL = "" before returning the JSON response in the shareInfoHandler method located in backend/share.go.