CVE-2026-35604

HIGH

File Browser share links remain accessible after Share/Download permissions are revoked

Title source: cna

Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, when an admin revokes a user's Share and Download permissions, existing share links created by that user remain fully accessible to unauthenticated users. The public share download handler does not re-check the share owner's current permissions. This vulnerability is fixed in 2.63.1.

References (2)

[X_Refsource_Confirm] https://github.com/filebrowser/filebrowser/security/advisories/GHSA-v9w4-gm2x-6rvf

[X_Refsource_Misc] https://github.com/filebrowser/filebrowser/pull/5888

Scores

CVSS v3 8.1

EPSS 0.0006

EPSS Percentile 18.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (2)

filebrowser/filebrowser < 2.63.1 (2 CPE variants)

filebrowser/filebrowser 0 - 2.63.1Go

Published Apr 07, 2026

Tracked Since Apr 07, 2026