GHSA-J9JX-HP4C-GHHH

Vulnerability from github – Published: 2026-06-12 21:53 – Updated: 2026-06-12 21:53
VLAI
Summary
File Browser has incorrect access control for public directory shares via rule path rebasing
Details

Summary

File Browser's public share handlers rebase the share owner's filesystem root to the shared directory and then evaluate descendant paths against the owner's global and per-user rules using the rebased relative path instead of the original path relative to the owner's scope.

As a result, an attacker who knows a public directory share URL can access files and subdirectories that the owner explicitly blocked with rules, as long as those blocked paths are located underneath the shared directory. In the simplest case this is an unauthenticated information disclosure through GET /api/public/share/* and GET /api/public/dl/*.

Details

The public share flow first resolves the original shared path under the owner's filesystem, but then switches d.user.Fs to a new BasePathFs rooted at the shared directory. The follow-up authorization check is still performed by d.Check, which compares the request path to rule strings using prefix matching.

When the share target is a directory, the path passed to d.Check becomes relative to the shared directory, while the rules remain relative to the owner's original scope. A deny rule such as /projects/private therefore no longer matches a public share request for /private/secret.txt, even though the rebased filesystem resolves that request to the real path /projects/private/secret.txt.

Core vulnerable code path:

// http/public.go
if file.IsDir {
    basePath = filepath.Clean(link.Path)
    filePath = ifPath
}

d.user.Fs = afero.NewBasePathFs(d.user.Fs, basePath)

file, err = files.NewFileInfo(&files.FileOptions{
    Fs:      d.user.Fs,
    Path:    filePath,
    Expand:  true,
    Checker: d,
})

// http/data.go and rules/rules.go
func (d *data) Check(path string) bool {
    allow := true
    for _, rule := range d.settings.Rules {
        if rule.Matches(path) {
            allow = rule.Allow
        }
    }
    for _, rule := range d.user.Rules {
        if rule.Matches(path) {
            allow = rule.Allow
        }
    }
    return allow
}

func (r *Rule) Matches(path string) bool {
    if path == r.Path {
        return true
    }
    prefix := r.Path
    if prefix != "/" && !strings.HasSuffix(prefix, "/") {
        prefix += "/"
    }
    return strings.HasPrefix(path, prefix)
}

The issue is reachable from the public endpoints registered in http/http.go for /api/public/share/* and /api/public/dl/*.

PoC

The attacker only needs a directory share URL. No authenticated session is required if the share is not password protected.

Reproduction flow:

  1. Prepare a directory owned by a normal user, for example /projects/.
  2. Inside it, create a sensitive child path such as /projects/private/secret.txt.
  3. Configure a deny rule for the share owner that blocks /projects/private.
  4. Have the owner create a public share for /projects/.
  5. Request the blocked child path through the public share endpoints.

PoC:

# owner creates a public share for /projects/
curl -s -X POST 'http://HOST/api/share/projects/' \
  -H 'X-Auth: <OWNER_JWT>' \
  -H 'Content-Type: application/json' \
  -d '{}'

The response contains a share hash such as:

{"hash":"<HASH>","path":"/projects/","userID":2,"expire":0}

The attacker can then access a rule-blocked file below the shared directory:

curl -i 'http://HOST/api/public/dl/<HASH>/private/secret.txt'

A blocked subdirectory can also be listed directly:

curl -i 'http://HOST/api/public/share/<HASH>/private/'

the server returns 200 OK and serves the file content or directory listing, even though the share owner's rules should have made that path inaccessible.

Impact

This flaw allows public share recipients to read files and browse directories that the share owner explicitly intended to block with File Browser rules. Because the vulnerable path is the public share feature, the exposure can be unauthenticated and internet-reachable whenever a share link is exposed.

In practical deployments, this can disclose secrets, configuration files, backup material, private project directories, or any other content that administrators or users attempted to hide beneath a shared parent directory using the built-in rule system.

Severity
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.63.5"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/filebrowser/filebrowser/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.63.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/filebrowser/filebrowser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54091"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-12T21:53:28Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nFile Browser\u0027s public share handlers rebase the share owner\u0027s filesystem root to the shared directory and then evaluate descendant paths against the owner\u0027s global and per-user rules using the rebased relative path instead of the original path relative to the owner\u0027s scope.\n\nAs a result, an attacker who knows a public directory share URL can access files and subdirectories that the owner explicitly blocked with rules, as long as those blocked paths are located underneath the shared directory. In the simplest case this is an unauthenticated information disclosure through `GET /api/public/share/*` and `GET /api/public/dl/*`.\n\n### Details\nThe public share flow first resolves the original shared path under the owner\u0027s filesystem, but then switches `d.user.Fs` to a new `BasePathFs` rooted at the shared directory. The follow-up authorization check is still performed by `d.Check`, which compares the request path to rule strings using prefix matching.\n\nWhen the share target is a directory, the path passed to `d.Check` becomes relative to the shared directory, while the rules remain relative to the owner\u0027s original scope. A deny rule such as `/projects/private` therefore no longer matches a public share request for `/private/secret.txt`, even though the rebased filesystem resolves that request to the real path `/projects/private/secret.txt`.\n\nCore vulnerable code path:\n\n```go\n// http/public.go\nif file.IsDir {\n    basePath = filepath.Clean(link.Path)\n    filePath = ifPath\n}\n\nd.user.Fs = afero.NewBasePathFs(d.user.Fs, basePath)\n\nfile, err = files.NewFileInfo(\u0026files.FileOptions{\n    Fs:      d.user.Fs,\n    Path:    filePath,\n    Expand:  true,\n    Checker: d,\n})\n```\n\n```go\n// http/data.go and rules/rules.go\nfunc (d *data) Check(path string) bool {\n    allow := true\n    for _, rule := range d.settings.Rules {\n        if rule.Matches(path) {\n            allow = rule.Allow\n        }\n    }\n    for _, rule := range d.user.Rules {\n        if rule.Matches(path) {\n            allow = rule.Allow\n        }\n    }\n    return allow\n}\n\nfunc (r *Rule) Matches(path string) bool {\n    if path == r.Path {\n        return true\n    }\n    prefix := r.Path\n    if prefix != \"/\" \u0026\u0026 !strings.HasSuffix(prefix, \"/\") {\n        prefix += \"/\"\n    }\n    return strings.HasPrefix(path, prefix)\n}\n```\n\nThe issue is reachable from the public endpoints registered in `http/http.go` for `/api/public/share/*` and `/api/public/dl/*`.\n\n### PoC\nThe attacker only needs a directory share URL. No authenticated session is required if the share is not password protected.\n\nReproduction flow:\n\n1. Prepare a directory owned by a normal user, for example `/projects/`.\n2. Inside it, create a sensitive child path such as `/projects/private/secret.txt`.\n3. Configure a deny rule for the share owner that blocks `/projects/private`.\n4. Have the owner create a public share for `/projects/`.\n5. Request the blocked child path through the public share endpoints.\n\nPoC:\n\n```bash\n# owner creates a public share for /projects/\ncurl -s -X POST \u0027http://HOST/api/share/projects/\u0027 \\\n  -H \u0027X-Auth: \u003cOWNER_JWT\u003e\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{}\u0027\n```\n\nThe response contains a share hash such as:\n\n```text\n{\"hash\":\"\u003cHASH\u003e\",\"path\":\"/projects/\",\"userID\":2,\"expire\":0}\n```\n\nThe attacker can then access a rule-blocked file below the shared directory:\n\n```bash\ncurl -i \u0027http://HOST/api/public/dl/\u003cHASH\u003e/private/secret.txt\u0027\n```\n\nA blocked subdirectory can also be listed directly:\n\n```bash\ncurl -i \u0027http://HOST/api/public/share/\u003cHASH\u003e/private/\u0027\n```\n\nthe server returns `200 OK` and serves the file content or directory listing, even though the share owner\u0027s rules should have made that path inaccessible.\n\n### Impact\nThis flaw allows public share recipients to read files and browse directories that the share owner explicitly intended to block with File Browser rules. Because the vulnerable path is the public share feature, the exposure can be unauthenticated and internet-reachable whenever a share link is exposed.\n\nIn practical deployments, this can disclose secrets, configuration files, backup material, private project directories, or any other content that administrators or users attempted to hide beneath a shared parent directory using the built-in rule system.",
  "id": "GHSA-j9jx-hp4c-ghhh",
  "modified": "2026-06-12T21:53:28Z",
  "published": "2026-06-12T21:53:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-j9jx-hp4c-ghhh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/commit/e07c59df0b850f5924d5b1683e8609661ddcf534"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/filebrowser/filebrowser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.63.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "File Browser has incorrect access control for public directory shares via rule path rebasing"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.