File Browser Permission Bypass in File Management Interface by File Browser
CVE-2026-32761

6.5MEDIUM

Key Information:

Vendor

Filebrowser

Status
Filebrowser
Vendor
CVE Published:
19 March 2026

What is CVE-2026-32761?

A vulnerability exists in the File Browser file management interface, specifically affecting versions 2.61.0 and below. This issue stems from a flaw in permission enforcement, where users who lack direct download privileges can still exfiltrate file content by creating public share links. The system appropriately checks download permissions for raw file downloads but neglects to do so when files are shared. Consequently, any authenticated user with sharing rights can disseminate files they are not authorized to download. This flaw undermines data-loss prevention measures and compromises organizational role-separation policies, allowing unauthorized users to distribute restricted files publicly. This vulnerability has been addressed and resolved in version 2.62.0.

Affected Version(s)

filebrowser < 2.62.0

References

https://github.com/filebrowser/filebrowser/security/advis...
x_refsource_CONFIRM
https://github.com/filebrowser/filebrowser/commit/09a2616...
x_refsource_MISC
https://github.com/filebrowser/filebrowser/releases/tag/v...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.