CVE-2026-32761
published 2026-03-20CVE-2026-32761: File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and…
PriorityP345medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.42%
34.0th percentile
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and below contain a permission enforcement bypass which allows users who are denied download privileges (perm.download = false) but granted share privileges (perm.share = true) to exfiltrate file content by creating public share links. While the direct raw download endpoint (/api/raw/) correctly enforces the download permission, the share creation endpoint only checks Perm.Share, and the public download handler (/api/public/dl/) serves file content without verifying that the original file owner has download permission. This means any authenticated user with share access can circumvent download restrictions by sharing a file and then retrieving it via the unauthenticated public download URL. The vulnerability undermines data-loss prevention and role-separation policies, as restricted users can publicly distribute files they are explicitly blocked from downloading directly. This issue has been fixed in version 2.62.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| filebrowser | filebrowser | < 2.62.0 | 2.62.0 |
| github.com | filebrowser_filebrowser_v2 | >= 0 < 2.62.0 | 2.62.0 |
| https | github.com_filebrowser_filebrowser | 0 – 2.61.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
File Browser has an Authorization Policy Bypass in Public Share Download Flow in github.com/filebrowser/filebrowser
osv·2026-04-07
CVE-2026-32761 File Browser has an Authorization Policy Bypass in Public Share Download Flow in github.com/filebrowser/filebrowser
File Browser has an Authorization Policy Bypass in Public Share Download Flow in github.com/filebrowser/filebrowser
File Browser has an Authorization Policy Bypass in Public Share Download Flow in github.com/filebrowser/filebrowser
OSV
File Browser has an Authorization Policy Bypass in Public Share Download Flow
osv·2026-03-18
CVE-2026-32761 [MEDIUM] File Browser has an Authorization Policy Bypass in Public Share Download Flow
File Browser has an Authorization Policy Bypass in Public Share Download Flow
### Summary
A permission enforcement flaw allows users without download privileges (`download=false`) to still expose and retrieve file content via public share links when they retain share privileges (`share=true`). This bypasses intended access control policy and enables unauthorized data exfiltration to unauthenticated users. Where download restrictions are used for data-loss prevention or role separation.
### Details
The backend applies inconsistent authorization checks across download paths:
- Direct raw download correctly enforces `Perm.Download`:
- [[raw.go](https://github.com/filebrowser/filebrowser/blob/master/http/raw.go#82)](filebrowser/http/raw.go:82)
- Share creation only enforces `Perm.Share`:
-
GHSA
File Browser has an Authorization Policy Bypass in Public Share Download Flow
ghsa·2026-03-18
CVE-2026-32761 [MEDIUM] CWE-284 File Browser has an Authorization Policy Bypass in Public Share Download Flow
File Browser has an Authorization Policy Bypass in Public Share Download Flow
### Summary
A permission enforcement flaw allows users without download privileges (`download=false`) to still expose and retrieve file content via public share links when they retain share privileges (`share=true`). This bypasses intended access control policy and enables unauthorized data exfiltration to unauthenticated users. Where download restrictions are used for data-loss prevention or role separation.
### Details
The backend applies inconsistent authorization checks across download paths:
- Direct raw download correctly enforces `Perm.Download`:
- [[raw.go](https://github.com/filebrowser/filebrowser/blob/master/http/raw.go#82)](filebrowser/http/raw.go:82)
- Share creation only enforces `Perm.Share`:
-
No detection rules found.
No public exploits indexed.
2026-03-20
Published