Vulnerability-Lookup

CVE-2026-28492 (GCVE-0-2026-28492)

Vulnerability from cvelistv5 – Published: 2026-03-05 21:06 – Updated: 2026-03-06 10:45

Title

File Browser: Path Traversal in Public Share Links Exposes Files Outside Shared Directory

Summary

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.0, when a user creates a public share link for a directory, the withHashFile middleware in http/public.go uses filepath.Dir(link.Path) to compute the BasePathFs root. This sets the filesystem root to the parent directory instead of the shared directory itself, allowing anyone with the share link to browse and download files from all sibling directories. This issue has been patched in version 2.61.0.

Severity ?

7.1 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

Tags

	https://github.com/filebrowser/filebrowser/securi…	x_refsource_CONFIRM
	https://github.com/filebrowser/filebrowser/commit…	x_refsource_MISC
	https://github.com/filebrowser/filebrowser/releas…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	filebrowser	filebrowser	Affected: < 2.61.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28492",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-06T10:45:01.806014Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-06T10:45:32.640Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "filebrowser",
          "vendor": "filebrowser",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.61.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.0, when a user creates a public share link for a directory, the withHashFile middleware in http/public.go uses filepath.Dir(link.Path) to compute the BasePathFs root. This sets the filesystem root to the parent directory instead of the shared directory itself, allowing anyone with the share link to browse and download files from all sibling directories. This issue has been patched in version 2.61.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-05T21:06:21.185Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-mr74-928f-rw69",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-mr74-928f-rw69"
        },
        {
          "name": "https://github.com/filebrowser/filebrowser/commit/31194fb57a5b92e7155219d7ec7273028fcb2e83",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/filebrowser/filebrowser/commit/31194fb57a5b92e7155219d7ec7273028fcb2e83"
        },
        {
          "name": "https://github.com/filebrowser/filebrowser/releases/tag/v2.61.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.61.0"
        }
      ],
      "source": {
        "advisory": "GHSA-mr74-928f-rw69",
        "discovery": "UNKNOWN"
      },
      "title": "File Browser: Path Traversal in Public Share Links Exposes Files Outside Shared Directory"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-28492",
    "datePublished": "2026-03-05T21:06:21.185Z",
    "dateReserved": "2026-02-27T20:57:47.707Z",
    "dateUpdated": "2026-03-06T10:45:32.640Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-28492\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-05T21:16:22.630\",\"lastModified\":\"2026-03-10T19:34:55.903\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.0, when a user creates a public share link for a directory, the withHashFile middleware in http/public.go uses filepath.Dir(link.Path) to compute the BasePathFs root. This sets the filesystem root to the parent directory instead of the shared directory itself, allowing anyone with the share link to browse and download files from all sibling directories. This issue has been patched in version 2.61.0.\"},{\"lang\":\"es\",\"value\":\"Navegador de Archivos proporciona una interfaz de gesti\u00f3n de archivos dentro de un directorio especificado y se puede usar para subir, eliminar, previsualizar, renombrar y editar archivos. Antes de la versi\u00f3n 2.61.0, cuando un usuario crea un enlace de compartici\u00f3n p\u00fablico para un directorio, el middleware withHashFile en http/public.go usa filepath.Dir(link.Path) para calcular la ra\u00edz BasePathFs. Esto establece la ra\u00edz del sistema de archivos en el directorio padre en lugar del propio directorio compartido, permitiendo a cualquiera con el enlace de compartici\u00f3n navegar y descargar archivos de todos los directorios hermanos. Este problema ha sido parcheado en la versi\u00f3n 2.61.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.61.0\",\"matchCriteriaId\":\"386E3F0B-FC20-4B4E-9C64-F2B9870D9CD3\"}]}]}],\"references\":[{\"url\":\"https://github.com/filebrowser/filebrowser/commit/31194fb57a5b92e7155219d7ec7273028fcb2e83\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/filebrowser/filebrowser/releases/tag/v2.61.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/filebrowser/filebrowser/security/advisories/GHSA-mr74-928f-rw69\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\",\"Mitigation\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-28492\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-06T10:45:01.806014Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-06T10:45:28.482Z\"}}], \"cna\": {\"title\": \"File Browser: Path Traversal in Public Share Links Exposes Files Outside Shared Directory\", \"source\": {\"advisory\": \"GHSA-mr74-928f-rw69\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"filebrowser\", \"product\": \"filebrowser\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.61.0\"}]}], \"references\": [{\"url\": \"https://github.com/filebrowser/filebrowser/security/advisories/GHSA-mr74-928f-rw69\", \"name\": \"https://github.com/filebrowser/filebrowser/security/advisories/GHSA-mr74-928f-rw69\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/filebrowser/filebrowser/commit/31194fb57a5b92e7155219d7ec7273028fcb2e83\", \"name\": \"https://github.com/filebrowser/filebrowser/commit/31194fb57a5b92e7155219d7ec7273028fcb2e83\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/filebrowser/filebrowser/releases/tag/v2.61.0\", \"name\": \"https://github.com/filebrowser/filebrowser/releases/tag/v2.61.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.0, when a user creates a public share link for a directory, the withHashFile middleware in http/public.go uses filepath.Dir(link.Path) to compute the BasePathFs root. This sets the filesystem root to the parent directory instead of the shared directory itself, allowing anyone with the share link to browse and download files from all sibling directories. This issue has been patched in version 2.61.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-05T21:06:21.185Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-28492\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-06T10:45:32.640Z\", \"dateReserved\": \"2026-02-27T20:57:47.707Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-05T21:06:21.185Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-28492

Vulnerability from fkie_nvd - Published: 2026-03-05 21:16 - Updated: 2026-03-10 19:34

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/filebrowser/filebrowser/commit/31194fb57a5b92e7155219d7ec7273028fcb2e83	Patch
security-advisories@github.com	https://github.com/filebrowser/filebrowser/releases/tag/v2.61.0	Release Notes
security-advisories@github.com	https://github.com/filebrowser/filebrowser/security/advisories/GHSA-mr74-928f-rw69	Exploit, Vendor Advisory, Mitigation

Impacted products

	Vendor	Product	Version
	filebrowser	filebrowser	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "386E3F0B-FC20-4B4E-9C64-F2B9870D9CD3",
              "versionEndExcluding": "2.61.0",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.0, when a user creates a public share link for a directory, the withHashFile middleware in http/public.go uses filepath.Dir(link.Path) to compute the BasePathFs root. This sets the filesystem root to the parent directory instead of the shared directory itself, allowing anyone with the share link to browse and download files from all sibling directories. This issue has been patched in version 2.61.0."
    },
    {
      "lang": "es",
      "value": "Navegador de Archivos proporciona una interfaz de gesti\u00f3n de archivos dentro de un directorio especificado y se puede usar para subir, eliminar, previsualizar, renombrar y editar archivos. Antes de la versi\u00f3n 2.61.0, cuando un usuario crea un enlace de compartici\u00f3n p\u00fablico para un directorio, el middleware withHashFile en http/public.go usa filepath.Dir(link.Path) para calcular la ra\u00edz BasePathFs. Esto establece la ra\u00edz del sistema de archivos en el directorio padre en lugar del propio directorio compartido, permitiendo a cualquiera con el enlace de compartici\u00f3n navegar y descargar archivos de todos los directorios hermanos. Este problema ha sido parcheado en la versi\u00f3n 2.61.0."
    }
  ],
  "id": "CVE-2026-28492",
  "lastModified": "2026-03-10T19:34:55.903",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-05T21:16:22.630",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/filebrowser/filebrowser/commit/31194fb57a5b92e7155219d7ec7273028fcb2e83"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.61.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory",
        "Mitigation"
      ],
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-mr74-928f-rw69"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-MR74-928F-RW69

Vulnerability from github – Published: 2026-03-02 20:15 – Updated: 2026-03-05 22:49

Summary

FileBrowser has Path Traversal in Public Share Links that Exposes Files Outside Shared Directory

Details

Summary

When a user creates a public share link for a directory, the withHashFile middleware in http/public.go (line 59) uses filepath.Dir(link.Path) to compute the BasePathFs root. This sets the filesystem root to the parent directory instead of the shared directory itself, allowing anyone with the share link to browse and download files from all sibling directories.

Details

In http/public.go lines 52-64, the withHashFile function handles public share link requests:

basePath := link.Path    // e.g. "/documents/shared"
filePath := ""

if file.IsDir {
    basePath = filepath.Dir(basePath)  // BUG: becomes "/documents" (parent!)
    filePath = ifPath
}

d.user.Fs = afero.NewBasePathFs(d.user.Fs, basePath)

When a directory at /documents/shared is shared, filepath.Dir("/documents/shared") evaluates to "/documents". The BasePathFs is then rooted at the parent directory /documents/, giving the share link access to everything under /documents/ - not just the intended /documents/shared/.

This affects both publicShareHandler (directory listing via /api/public/share/{hash}) and publicDlHandler (file download via /api/public/dl/{hash}/path).

PoC

Set up filebrowser with a user whose scope contains:
- /documents/shared/public-file.txt (intended to be shared)
- /documents/secrets/passwords.txt (NOT intended to be shared)
- /documents/private/financial.csv (NOT intended to be shared)
Create a public share link for the directory /documents/shared (via POST /api/share/documents/shared)
Access the share link: GET /api/public/share/{hash}
- Expected: Lists only contents of /documents/shared/
- Actual: Lists contents of /documents/ (parent), revealing secrets/, private/, and shared/ directories
Download sibling files: GET /api/public/dl/{hash}/secrets/passwords.txt
- Expected: 404 or 403 (file outside share scope)
- Actual: 200 with file contents (sibling file downloaded successfully) Standalone Go test reproducing the exact vulnerable code path with afero.NewBasePathFs:

func TestShareScopeEscape(t *testing.T) {
    baseFs := afero.NewMemMapFs()
    afero.WriteFile(baseFs, "/documents/shared/public.txt", []byte("public"), 0644)
    afero.WriteFile(baseFs, "/documents/secrets/passwords.txt", []byte("admin:hunter2"), 0644)

    linkPath := "/documents/shared"
    basePath := filepath.Dir(linkPath) // BUG: "/documents"
    scopedFs := afero.NewBasePathFs(baseFs, basePath)

    // Sibling file is accessible through the share:
    f, err := scopedFs.Open("/secrets/passwords.txt")
    // err is nil - file accessible! Content: "admin:hunter2"
}

This test passes, confirming the vulnerability.

Impact

Unauthenticated information disclosure (CWE-200, CWE-706). Anyone with a public share link for a directory can: - Browse all sibling directories and files of the shared directory - - Download any file within the parent directory scope - - This works without authentication (public shares) or after providing the share password (password-protected shares) All filebrowser v2.x installations that use directory sharing are affected.

Recommended Fix

Remove the filepath.Dir() call and use link.Path directly as the BasePathFs root:

if file.IsDir {
    // Don't change basePath - keep it as link.Path
    filePath = ifPath
}
d.user.Fs = afero.NewBasePathFs(d.user.Fs, basePath)

Affected commit: e3d00d591b567a8bfe3b02e42ba586859002c77d (latest) File: http/public.go, line 59

Severity ?

7.1 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.60.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/filebrowser/filebrowser/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.61.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-02T20:15:46Z",
    "nvd_published_at": "2026-03-05T21:16:22Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nWhen a user creates a public share link for a **directory**, the `withHashFile` middleware in `http/public.go` (line 59) uses `filepath.Dir(link.Path)` to compute the `BasePathFs` root. This sets the filesystem root to the **parent directory** instead of the shared directory itself, allowing anyone with the share link to browse and download files from all sibling directories.\n\n### Details\nIn `http/public.go` lines 52-64, the `withHashFile` function handles public share link requests:\n\n```go\nbasePath := link.Path    // e.g. \"/documents/shared\"\nfilePath := \"\"\n\nif file.IsDir {\n    basePath = filepath.Dir(basePath)  // BUG: becomes \"/documents\" (parent!)\n    filePath = ifPath\n}\n\nd.user.Fs = afero.NewBasePathFs(d.user.Fs, basePath)\n```\n\nWhen a directory at `/documents/shared` is shared, `filepath.Dir(\"/documents/shared\")` evaluates to `\"/documents\"`. The `BasePathFs` is then rooted at the parent directory `/documents/`, giving the share link access to **everything** under `/documents/` - not just the intended `/documents/shared/`.\n\nThis affects both `publicShareHandler` (directory listing via `/api/public/share/{hash}`) and `publicDlHandler` (file download via `/api/public/dl/{hash}/path`).\n\n### PoC\n\n1. Set up filebrowser with a user whose scope contains:\n2.    - `/documents/shared/public-file.txt` (intended to be shared)\n3.    - `/documents/secrets/passwords.txt` (NOT intended to be shared)\n4.    - `/documents/private/financial.csv` (NOT intended to be shared)\n2. Create a public share link for the directory `/documents/shared` (via POST `/api/share/documents/shared`)\n3. Access the share link: `GET /api/public/share/{hash}`\n4.    - **Expected**: Lists only contents of `/documents/shared/`\n5.    - **Actual**: Lists contents of `/documents/` (parent), revealing `secrets/`, `private/`, and `shared/` directories\n4. Download sibling files: `GET /api/public/dl/{hash}/secrets/passwords.txt`\n5.    - **Expected**: 404 or 403 (file outside share scope)\n6.    - **Actual**: 200 with file contents (sibling file downloaded successfully)\n**Standalone Go test** reproducing the exact vulnerable code path with `afero.NewBasePathFs`:\n\n```go\nfunc TestShareScopeEscape(t *testing.T) {\n    baseFs := afero.NewMemMapFs()\n    afero.WriteFile(baseFs, \"/documents/shared/public.txt\", []byte(\"public\"), 0644)\n    afero.WriteFile(baseFs, \"/documents/secrets/passwords.txt\", []byte(\"admin:hunter2\"), 0644)\n\n    linkPath := \"/documents/shared\"\n    basePath := filepath.Dir(linkPath) // BUG: \"/documents\"\n    scopedFs := afero.NewBasePathFs(baseFs, basePath)\n\n    // Sibling file is accessible through the share:\n    f, err := scopedFs.Open(\"/secrets/passwords.txt\")\n    // err is nil - file accessible! Content: \"admin:hunter2\"\n}\n```\n\nThis test passes, confirming the vulnerability.\n\n### Impact\n\n**Unauthenticated information disclosure (CWE-200, CWE-706)**. Anyone with a public share link for a directory can:\n- Browse all sibling directories and files of the shared directory\n- - Download any file within the parent directory scope\n- - This works without authentication (public shares) or after providing the share password (password-protected shares)\nAll filebrowser v2.x installations that use directory sharing are affected.\n\n### Recommended Fix\n\nRemove the `filepath.Dir()` call and use `link.Path` directly as the `BasePathFs` root:\n\n```go\nif file.IsDir {\n    // Don\u0027t change basePath - keep it as link.Path\n    filePath = ifPath\n}\nd.user.Fs = afero.NewBasePathFs(d.user.Fs, basePath)\n```\n\n**Affected commit**: e3d00d591b567a8bfe3b02e42ba586859002c77d (latest)\n**File**: `http/public.go`, line 59",
  "id": "GHSA-mr74-928f-rw69",
  "modified": "2026-03-05T22:49:48Z",
  "published": "2026-03-02T20:15:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-mr74-928f-rw69"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28492"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/commit/31194fb57a5b92e7155219d7ec7273028fcb2e83"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/filebrowser/filebrowser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.61.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "FileBrowser has Path Traversal in Public Share Links that Exposes Files Outside Shared Directory"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-28492 (GCVE-0-2026-28492)

FKIE_CVE-2026-28492

GHSA-MR74-928F-RW69

Summary

Details

PoC

Impact

Recommended Fix

Tags

Sightings

Nomenclature