Main Vulnerability Database Vulnerabilities #VU125388

#VU125388 Authorization bypass through user-controlled key in FileBrowser - CVE-2025-64523

Published: April 8, 2026

Vulnerability identifier: #VU125388

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-64523

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
FileBrowser

Software vendor:
File Browser

Description

The vulnerability allows a remote user to delete other users' shared links.

The vulnerability exists due to authorization bypass through user-controlled key in the share deletion function in /http/share.go when handling share deletion requests by share hash. A remote user can send a crafted delete request for another user's share hash to delete other users' shared links.

The issue affects the shareDeleteHandler because it does not compare the share owner's user ID with the current authenticated user's ID before deletion.

Remediation

Install security update from vendor's website.

External links

https://github.com/filebrowser/filebrowser/security/advisories/GHSA-6cqf-cfhv-659g

#VU125388 Authorization bypass through user-controlled key in FileBrowser - CVE-2025-64523

Description

Remediation

External links

Please verify you're human