cbcvebase.
CVE-2026-32761
published 2026-03-20

CVE-2026-32761: File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and…

PriorityP345medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.42%
34.0th percentile
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and below contain a permission enforcement bypass which allows users who are denied download privileges (perm.download = false) but granted share privileges (perm.share = true) to exfiltrate file content by creating public share links. While the direct raw download endpoint (/api/raw/) correctly enforces the download permission, the share creation endpoint only checks Perm.Share, and the public download handler (/api/public/dl/) serves file content without verifying that the original file owner has download permission. This means any authenticated user with share access can circumvent download restrictions by sharing a file and then retrieving it via the unauthenticated public download URL. The vulnerability undermines data-loss prevention and role-separation policies, as restricted users can publicly distribute files they are explicitly blocked from downloading directly. This issue has been fixed in version 2.62.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
filebrowserfilebrowser< 2.62.02.62.0
github.comfilebrowser_filebrowser_v2>= 0 < 2.62.02.62.0
httpsgithub.com_filebrowser_filebrowser0 – 2.61.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.