SB2026060822 - Multiple vulnerabilities in FileBrowser
Published: June 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Authorization bypass through user-controlled key (CVE-ID: N/A)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to delete share-link records belonging to other users.
The vulnerability exists due to authorization bypass through user-controlled key in DeleteWithPathPrefix share cleanup logic when processing a legitimate file deletion request using a logical path that is a byte-prefix of another user's stored share path. A remote user can delete a file in their own directory with a crafted path prefix to delete share-link records belonging to other users.
The issue affects share-link metadata only; file contents are not exposed. The vulnerable behavior occurs in the file-deletion cleanup path, which does not enforce the per-user ownership check applied by direct share deletion.
2) OS Command Injection (CVE-ID: N/A)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary os commands.
The vulnerability exists due to command injection in HookAuth.RunCommand in auth/hook.go when processing login requests through the hook authentication feature. A remote attacker can send a specially crafted username or password value to execute arbitrary os commands.
Only instances with the hook authentication feature enabled are vulnerable, and exploitation occurs before authentication is completed.
3) Input validation error (CVE-ID: N/A)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper input validation in the CheckPwd function in users/password.go when handling login requests to the api/login endpoint. A remote user can send a specially crafted login request with an excessively large password to cause a denial of service.
Concurrent requests can spike CPU and memory usage and may cause the service to become unresponsive or crash.
4) Path traversal (CVE-ID: N/A)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to write arbitrary files outside the intended extraction directory on a Windows system.
The vulnerability exists due to path traversal in download-as-zip and download-as-tar archive entry name handling when processing stored filenames containing Windows-style backslash separators. A remote user can create a file with a specially crafted name and cause a victim to download and extract a crafted archive to write arbitrary files outside the intended extraction directory on a Windows system.
User interaction is required to download and extract the archive on Windows.
5) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in public share handlers when processing requests for files and subdirectories beneath a shared directory using rebased relative paths. A remote attacker can request a specially crafted public share path to disclose sensitive information.
No authenticated session is required if the public share is not password protected.
Remediation
Install update from vendor's website.
References
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-5ww9-jg6q-38r7
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-m93h-4hw7-5qcm
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-w5fm-68j4-fpc4
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-gxjx-7m74-hcq8
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-j9jx-hp4c-ghhh