CVE-2026-32761Improper Access Control in Filebrowser

CWE-284Improper Access ControlCWE-639Authorization Bypass Through User-Controlled KeyCWE-863Incorrect Authorization6 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
0.0%
top 98.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
FilebrowserGithub.com Filebrowser Filebrowser V2Https Github.com Filebrowser Filebrowser
Timeline
PublishedMar 20
Latest updateApr 7

Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and below contain a permission enforcement bypass which allows users who are denied download privileges (perm.download = false) but granted share privileges (perm.share = true) to exfiltrate file content by creating public share links. While the direct raw download endpoint (/api/raw/) correctly enforces the download permission, the share creati

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

CVEListV5filebrowser/filebrowser< 2.62.0

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
File Browser has an Authorization Policy Bypass in Public Share Download Flow in github.com/filebrowser/filebrowser2026-04-07
CVEList
File Browser has an Authorization Policy Bypass in its Public Share Download Flow2026-03-19
OSV
File Browser has an Authorization Policy Bypass in Public Share Download Flow2026-03-18
GHSA
File Browser has an Authorization Policy Bypass in Public Share Download Flow2026-03-18

🕵️Threat Intelligence

1
Wiz
CVE-2026-32761 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-32761 — Improper Access Control in Filebrowser | cvebase