CVE-2026-35604

Name of the Vulnerable Software and Affected Versions: File Browser versions prior to 2.63.1

Description: File Browser is a file managing interface. Prior to version 2.63.1, when an administrator revokes a user's Share and Download permissions, existing share links created by that user remain accessible to unauthenticated users. The public share download handler does not re-check the share owner's current permissions. This allows unauthenticated users to access files through existing share links even after the owner's permissions have been revoked. The vulnerability exists because the share access function does not validate the user's Share and Download permissions, unlike the share creation function. The API endpoint ''/api/public/dl/{hash}'' is affected, where {hash} represents the share link hash. The vulnerable parameter is the share link hash itself, as it allows access without proper permission checks. The function withHashFile is responsible for handling share access and lacks the necessary permission validation.

Recommendations: Update File Browser to version 2.63.1 or later.