CVE-2026-27611
published 2026-02-25CVE-2026-27611: FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files…
PriorityP339medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
EPSS
0.31%
22.3th percentile
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| filebrowser | filebrowser | <= 1.2.9 | — |
| filebrowser | filebrowser | — | — |
| filebrowser | filebrowser | — | — |
| github.com | gtsteffaniak_filebrowser_backend | >= 0 < 0.0.0-20260221163904-dbcfba993b85 | 0.0.0-20260221163904-dbcfba993b85 |
| github.com | gtsteffaniak_filebrowser_backend | >= 0 < 0.0.0-20260307130210-09713b32a5f6 | 0.0.0-20260307130210-09713b32a5f6 |
| gtsteffaniak | filebrowser | — | — |
| gtsteffaniak | filebrowser | — | — |
| gtsteffaniak | filebrowser | — | — |
| gtsteffaniak | filebrowser_quantum | < 1.1.3 | 1.1.3 |
| gtsteffaniak | filebrowser_quantum | — | — |
| gtsteffaniak | filebrowser_quantum | >= 1.2.0 < 1.2.6 | 1.2.6 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv4.07.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa7.1HIGH
osv7.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info
ghsa·2026-03-09·CVSS 7.1
CVE-2026-30933 [HIGH] CWE-200 FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info
### Summary
The remediation for CVE-2026-27611 appears incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info in docker image gtstef/filebrowser:1.3.1-webdav-2.
### Details
The issue stems from two flaws:
1. Tokenized download URLs are written into the persistent share model
```
backend/http/share.go
convertToFrontendShareResponse(line 63)
s.DownloadURL = getShareURL(r, s.Hash, true, s.Token)
```
2. The public endpoint:
```
GET /public/api/share/info
returns shareLink.CommonShare without clearing DownloadURL.
```
Since Token is set for password-protected shares, and getShareURL(..., true, token) embeds it as a query parameter, the public API discloses a valid b
OSV
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info
osv·2026-03-09·CVSS 7.1
CVE-2026-30933 [HIGH] FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info
### Summary
The remediation for CVE-2026-27611 appears incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info in docker image gtstef/filebrowser:1.3.1-webdav-2.
### Details
The issue stems from two flaws:
1. Tokenized download URLs are written into the persistent share model
```
backend/http/share.go
convertToFrontendShareResponse(line 63)
s.DownloadURL = getShareURL(r, s.Hash, true, s.Token)
```
2. The public endpoint:
```
GET /public/api/share/info
returns shareLink.CommonShare without clearing DownloadURL.
```
Since Token is set for password-protected shares, and getShareURL(..., true, token) embeds it as a query parameter, the public API discloses a valid b
OSV
FileBrowser Quantum: Password Protection Not Enforced on Shared File Links
osv·2026-02-25
CVE-2026-27611 [HIGH] FileBrowser Quantum: Password Protection Not Enforced on Shared File Links
FileBrowser Quantum: Password Protection Not Enforced on Shared File Links
### Summary
When users share password-protected files, the recipient can completely bypass the password and still download the file.
### Details
This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password.
### PoC
1. As an authenticated user, create a share for a file, with a password specified in "Optional password" (make sure to allow anonymous access as the PoC doesn't explain how to do this on a share that requires login, but it is also possible to do on a share that requires login, with some small tweaks to the API request)
2. Copy the first link (the clipboard WITHOUT an arrow) because the second o
GHSA
FileBrowser Quantum: Password Protection Not Enforced on Shared File Links
ghsa·2026-02-25
CVE-2026-27611 [HIGH] CWE-200 FileBrowser Quantum: Password Protection Not Enforced on Shared File Links
FileBrowser Quantum: Password Protection Not Enforced on Shared File Links
### Summary
When users share password-protected files, the recipient can completely bypass the password and still download the file.
### Details
This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password.
### PoC
1. As an authenticated user, create a share for a file, with a password specified in "Optional password" (make sure to allow anonymous access as the PoC doesn't explain how to do this on a share that requires login, but it is also possible to do on a share that requires login, with some small tweaks to the API request)
2. Copy the first link (the clipboard WITHOUT an arrow) because the second o
OSV
FileBrowser Quantum: Password Protection Not Enforced on Shared File Links in github.com/gtsteffaniak/filebrowser/backend
osv·2026-02-25
CVE-2026-27611 FileBrowser Quantum: Password Protection Not Enforced on Shared File Links in github.com/gtsteffaniak/filebrowser/backend
FileBrowser Quantum: Password Protection Not Enforced on Shared File Links in github.com/gtsteffaniak/filebrowser/backend
FileBrowser Quantum: Password Protection Not Enforced on Shared File Links in github.com/gtsteffaniak/filebrowser/backend
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-27611 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-27611 [HIGH] CVE-2026-27611 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27611 :
vulnerability analysis and mitigation
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue.
Source : NVD
## 7.1
Score
Published February 25, 2026
Severity HIGH
CNA Score 7.1
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11
Exploitation Probability (EPSS) N/A
Affect
Wiz
CVE-2026-30933 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-30933 [HIGH] CVE-2026-30933 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30933 :
Wolfi vulnerability analysis and mitigation
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.
Source : NVD
## 7.5
Score
Published March 10, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
github.com/gtsteffaniak/filebrowser/backend
filebrowser
Sources
NVD
Chaingu
2026-02-25
Published