Exposed Access Flaw in FileBrowser Quantum by GT Steffaniak
CVE-2026-27611

7.1HIGH

Key Information:

Vendor: Gtsteffaniak
Status: Filebrowser
Vendor: CVE Published:; 25 February 2026

🔔 Create Gtsteffaniak Vulnerability Alert

What is CVE-2026-27611?

A serious flaw in FileBrowser Quantum, a self-hosted web-based file manager, allows users to bypass password protections on shared files. Specifically, prior to versions 1.1.3-stable and 1.2.6-beta, the system inadequately secured the sharing mechanism. The API inadvertently provided a direct download link accessible through the share link alone, enabling unauthorized access without the need for the password. This vulnerability was addressed in subsequent software updates to safeguard user data.

Affected Version(s)

filebrowser < 1.1.3-stable < 1.1.3-stable

filebrowser >= 1.2.0-beta, < 1.2.6-beta < 1.2.0-beta, 1.2.6-beta

References

https://github.com/gtsteffaniak/filebrowser/security/advi...

x_refsource_CONFIRM

https://github.com/gtsteffaniak/filebrowser/commit/c51b0e...

x_refsource_MISC

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 25, 2026
Vulnerability Reserved
Feb 20, 2026

CVE-2026-27611 Data

JSON