Back to overview

CVE-2026-54091

HIGH
7.5
CVSS 3.1
Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, File Browser's public share handlers rebase the share owner's filesystem root to the shared directory and then evaluate descendant paths against the owner's global and per-user rules using the rebased relative path instead of the original path relative to the owner's scope. As a result, an attacker who knows a public directory share URL can access files and subdirectories that the owner explicitly blocked with rules, as long as those blocked paths are located underneath the shared directory. In the simplest case this is an unauthenticated information disclosure through `GET /api/public/share/*` and `GET /api/public/dl/*`. This vulnerability is fixed in 2.63.6.

Metadata

CVE ID
CVE-2026-54091
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-11 18:44 UTC
Published
2026-06-25 17:43 UTC
Last updated
2026-06-25 17:43 UTC
Primary CWE
CWE-863
CWE-863: Incorrect Authorization
Vendor / Product
filebrowser / filebrowser
Sources
cve.org  ·  NVD

Severity & Metrics

7.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products (1)
VendorProductPlatformVersions
filebrowser filebrowser < 2.63.6
Weakness (CWE)
CWESourceDescription
CWE-863 cna CWE-863: Incorrect Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References (3)
Back to overview