DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27611: The 'Secure' Share That Wasn't: Bypassing FileBrowser Quantum

#security #cve #cybersecurity

The 'Secure' Share That Wasn't: Bypassing FileBrowser Quantum

Vulnerability ID: CVE-2026-27611
CVSS Score: 7.1
Published: 2026-02-25

FileBrowser Quantum, a popular self-hosted file management solution, suffered from a critical logic flaw in its sharing mechanism. Intended to protect files with passwords, the application inadvertently leaked the authentication tokens required to bypass that very protection. By simply querying a metadata API endpoint, an attacker could retrieve a direct download URL for any shared file—password protected or not—rendering the security controls purely cosmetic.

TL;DR

A Broken Access Control vulnerability in FileBrowser Quantum allowed attackers to bypass password protection on shared files. The /public/api/shareinfo endpoint leaked the full file metadata, including the secret download token, in its JSON response. Attackers could extract this token to download 'protected' files without authentication.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-200 / CWE-288
  • Attack Vector: Network (API)
  • CVSS v4.0: 7.1 (High)
  • Impact: Confidentiality Loss
  • Exploit Status: Trivial / PoC Available
  • EPSS Score: 0.00041

Affected Systems

  • FileBrowser Quantum < 1.1.3-stable
  • FileBrowser Quantum 1.2.0-beta to < 1.2.6-beta
  • FileBrowser Quantum: < 1.1.3-stable (Fixed in: 1.1.3-stable)
  • FileBrowser Quantum: 1.2.0-beta - 1.2.5-beta (Fixed in: 1.2.6-beta)

Code Analysis

Commit: c51b0ee

Moved shareInfoHandler and implemented sanitization of CommonShare object

func shareInfoHandler... share.Source = ""; share.Path = ""...
Enter fullscreen mode Exit fullscreen mode

Commit: a8c9b94

Cleanup of legacy insecure handlers

Removed legacy routes pointing to insecure handlers
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Sanitize API Responses: Ensure DTOs (Data Transfer Objects) do not contain internal state.
  • Regenerate Secrets: Invalidate all existing share tokens after patching.
  • WAF Filtering: Block access to /api/raw if the referer is not trusted.

Remediation Steps:

  1. Update FileBrowser Quantum to version 1.1.3-stable or 1.2.6-beta immediately.
  2. Audit logs for requests to /public/api/shareinfo followed immediately by requests to the downloadURL from the same IP.
  3. Revoke and recreate all currently active password-protected share links.

References

Read the full report for CVE-2026-27611 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)