CVE-2026-35606

HIGH

File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check

Title source: cna

Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the resourceGetHandler in http/resource.go returns full text file content without checking the Perm.Download permission flag. All three other content-serving endpoints (/api/raw, /api/preview, /api/subtitle) correctly verify this permission before serving content. A user with download: false can read any text file within their scope through two bypass paths. This vulnerability is fixed in 2.63.1.

References (1)

[X_Refsource_Confirm] https://github.com/filebrowser/filebrowser/security/advisories/GHSA-67cg-cpj7-qgc9

Scores

CVSS v3 7.5

EPSS 0.0004

EPSS Percentile 10.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (3)

filebrowser/filebrowser < 2.63.0

filebrowser/filebrowser 0 - 2.63.1Go

filebrowser/filebrowser < 2.63.1

Published Apr 07, 2026

Tracked Since Apr 07, 2026