Incorrect authorization in FileBrowser - CVE-2026-35604
Published: April 8, 2026
Vulnerability identifier: #VU125403
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-35604
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: File Browser
Affected software:
FileBrowser
FileBrowser
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose files through previously created share links after permissions are revoked.
The vulnerability exists due to incorrect authorization in the public share download handler when processing requests for existing public share links after an administrator revokes the share owner's Share and Download permissions. A remote attacker can request a previously issued share link to disclose files through previously created share links after permissions are revoked.
The issue affects existing public share links created before the permission change, while creation of new share links is correctly blocked.
How to mitigate CVE-2026-35604
Install security update from vendor's website.