CVE-2026-54091
published 2026-06-25CVE-2026-54091: File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, File…
PriorityP351high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.47%
37.2th percentile
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, File Browser's public share handlers rebase the share owner's filesystem root to the shared directory and then evaluate descendant paths against the owner's global and per-user rules using the rebased relative path instead of the original path relative to the owner's scope. As a result, an attacker who knows a public directory share URL can access files and subdirectories that the owner explicitly blocked with rules, as long as those blocked paths are located underneath the shared directory. In the simplest case this is an unauthenticated information disclosure through `GET /api/public/share/*` and `GET /api/public/dl/*`. This vulnerability is fixed in 2.63.6.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| filebrowser | filebrowser | < 2.63.6 | 2.63.6 |
| github.com | filebrowser_filebrowser | 0 – 1.11.0 | — |
| github.com | filebrowser_filebrowser_v2 | >= 0 < 2.63.6 | 2.63.6 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
filebrowser File Browser up to 2.63.5 /api/public/share authorization (GHSA-j9jx-hp4c-ghhh)
vuldb·2026-06-26·CVSS 7.5
CVE-2026-54091 [HIGH] filebrowser File Browser up to 2.63.5 /api/public/share authorization (GHSA-j9jx-hp4c-ghhh)
A vulnerability identified as problematic has been detected in filebrowser File Browser up to 2.63.5. Impacted is an unknown function of the file /api/public/share. This manipulation causes incorrect authorization.
This vulnerability is registered as CVE-2026-54091. Remote exploitation of the attack is possible. No exploit is available.
You should upgrade the affected component.
GHSA
File Browser has incorrect access control for public directory shares via rule path rebasing
ghsa·2026-06-12
CVE-2026-54091 [HIGH] CWE-863 File Browser has incorrect access control for public directory shares via rule path rebasing
File Browser has incorrect access control for public directory shares via rule path rebasing
### Summary
File Browser's public share handlers rebase the share owner's filesystem root to the shared directory and then evaluate descendant paths against the owner's global and per-user rules using the rebased relative path instead of the original path relative to the owner's scope.
As a result, an attacker who knows a public directory share URL can access files and subdirectories that the owner explicitly blocked with rules, as long as those blocked paths are located underneath the shared directory. In the simplest case this is an unauthenticated information disclosure through `GET /api/public/share/*` and `GET /api/public/dl/*`.
### Details
The public share flow first resolves the original
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-25
Published