SB20260408143 - Multiple vulnerabilities in FileBrowser

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) OS Command Injection (CVE-ID: CVE-2026-35585)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of special elements used in an os command in the Runner.exec hook runner when expanding attacker-controlled filename or username variables into shell-based hook commands. A remote privileged user can upload, create, or rename a file with shell metacharacters to execute arbitrary code.

Exploitation requires shell-based hooks to be configured and triggered by file events such as upload, rename, or delete.

2) Improper privilege management (CVE-ID: CVE-2026-35607)

The vulnerability allows a remote user to execute configured commands.

The vulnerability exists due to improper privilege management in the proxy authentication auto-provisioning logic when creating users on first successful proxy-auth login. A remote user can authenticate through the proxy to inherit execute permission and configured commands to execute configured commands.

Exploitation requires proxy authentication to be enabled, execution to be allowed, and default settings to include configured commands.

3) Missing Authorization (CVE-ID: CVE-2026-35606)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the /api/resources endpoint when handling requests for text file content. A remote user can send a crafted request to disclose sensitive information.

This issue bypasses the Perm.Download check but does not bypass path authorization, and it affects text files within the user's authorized scope.

4) Improper access control (CVE-ID: CVE-2026-35605)

The vulnerability allows a remote user to bypass intended access restrictions and access files in unintended sibling directories.

The vulnerability exists due to improper access control in the Matches() function in rules/rules.go when matching paths against access rules using strings.HasPrefix() without a trailing directory separator. A remote user can request a path that shares a common prefix with an allowed directory to bypass intended access restrictions and access files in unintended sibling directories.

The issue affects non-regex path rules, and rule evaluation uses last-match-wins semantics.

5) Incorrect authorization (CVE-ID: CVE-2026-35604)

The vulnerability allows a remote attacker to disclose files through previously created share links after permissions are revoked.

The vulnerability exists due to incorrect authorization in the public share download handler when processing requests for existing public share links after an administrator revokes the share owner's Share and Download permissions. A remote attacker can request a previously issued share link to disclose files through previously created share links after permissions are revoked.

The issue affects existing public share links created before the permission change, while creation of new share links is correctly blocked.

Remediation

Install update from vendor's website.

References

• https://github.com/filebrowser/filebrowser/security/advisories/GHSA-jvpw-637p-h3pw
• https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7526-j432-6ppp
• https://github.com/advisories/GHSA-7526-j432-6ppp
• https://github.com/filebrowser/filebrowser/security/advisories/GHSA-67cg-cpj7-qgc9
• https://github.com/filebrowser/filebrowser/security/advisories/GHSA-5q48-q4fm-g3m6
• https://github.com/advisories/GHSA-5q48-q4fm-g3m6
• https://github.com/filebrowser/filebrowser/security/advisories/GHSA-v9w4-gm2x-6rvf
• https://github.com/advisories/GHSA-v9w4-gm2x-6rvf