PT-2026-49069 · Go · Github.Com/Filebrowser/Filebrowser+1

Published

2026-06-12

·

Updated

2026-06-12

·

CVE-2026-54097

CVSS v4.0

7.2

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

A low-privileged authenticated user of filebrowser (with create + delete permissions in their own isolated scope) can silently destroy share-link records belonging to any other user — including the administrator — by performing a legitimate DELETE on a file in their own directory whose logical path happens to be a byte-prefix of another user's stored share.Link.Path. The file contents of the victim are not exposed, but the victim's share links are irrevocably wiped.

Details

resourceDeleteHandler in http/resource.go cleans up any share records that reference a deleted file by calling:
// http/resource.go
err = d.store.Share.DeleteWithPathPrefix(file.Path)
file.Path here is the logical path from the URL of the deleting user's request (e.g. /a), not the absolute filesystem path. It is passed as-is to the bolt backend:
// storage/bolt/share.go
func (s shareBackend) DeleteWithPathPrefix(pathPrefix string) error {
  var links []share.Link
  if err := s.db.Prefix("Path", pathPrefix, &links); err != nil {
    return err
  }
  for , link := range links {
    err = errors.Join(err, s.db.DeleteStruct(&share.Link{Hash: link.Hash}))
  }
  return err
}
Why the design contradicts this behavior. share.Link carries a UserID field and the application elsewhere treats shares as per-user owned resources. shareDeleteHandler explicitly enforces link.UserID != d.user.ID && !d.user.Perm.Admin → 403. The file-deletion side-effect path is the only location that bypasses this rule.

Impact

  • Integrity: unauthorized deletion of share-link metadata belonging to arbitrary users, including administrators.
  • Availability: effective denial-of-service of the share-link feature — a cooperating (or malicious) low-priv user can wipe the bulk of existing share links by iterating a short set of one- and two-character prefixes.

Fix

IDOR

Weakness Enumeration

CWE-639

Related Identifiers

CVE-2026-54097
GHSA-5WW9-JG6Q-38R7

Affected Products

Github.Com/Filebrowser/Filebrowser
Github.Com/Filebrowser/Filebrowser/V2