SB2026060823 - Link following in FileBrowser

Security Bulletin ID SB2026060823

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Link following (CVE-ID: N/A)

CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information and overwrite files outside the intended filebrowser scope.

The vulnerability exists due to improper link resolution before file access in the HTTP file handlers when processing paths that reference symbolic links inside a scoped directory. A remote attacker can access a symlink that points outside the scoped directory to disclose sensitive information and overwrite files outside the intended filebrowser scope.

If public sharing is permitted, the issue can also expose the outside target through a public share. The proof assumes a symlink already exists inside the user's scoped directory, or that another allowed workflow can place it there.

Remediation

Install update from vendor's website.

References

https://github.com/filebrowser/filebrowser/security/advisories/GHSA-239w-m3h6-ch8v