CVE-2026-32761

Name of the Vulnerable Software and Affected Versions File Browser versions 2.61.0 and below

Description File Browser is a file managing interface that allows users to upload, delete, preview, rename, and edit files. A permission enforcement issue exists where users with share privileges (perm.share = true) but without download privileges (perm.download = false) can bypass download restrictions and exfiltrate file content. This is achieved by creating public share links and then retrieving the files via the public download handler ('/api/public/dl/'). The direct raw download endpoint ('/api/raw/') correctly enforces download permissions, but the share creation endpoint only checks share permissions. The public download handler serves file content without verifying the original file owner's download permission. This bypass undermines data-loss prevention and role-separation policies, allowing restricted users to publicly distribute files they are explicitly blocked from downloading directly. The backend applies inconsistent authorization checks across download paths, specifically in raw.go, share.go, and public.go. A proof-of-concept demonstrates that a user without download permissions can upload a file, create a share, and then download the file publicly using the generated hash.

Recommendations Versions prior to 2.62.0 are affected. Update to version 2.62.0 or later to resolve this issue.