{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27611", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T19:43:14.602Z", "datePublished": "2026-02-25T02:24:48.357Z", "dateUpdated": "2026-02-27T17:11:18.122Z"}, "containers": {"cna": {"title": "FileBrowser Quantum: Password Protection Not Enforced on Shared File Links", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-288", "lang": "en", "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6"}, {"name": "https://github.com/gtsteffaniak/filebrowser/commit/c51b0ee9738fa4599b409f47c5bf820ef31b4fe1", "tags": ["x_refsource_MISC"], "url": "https://github.com/gtsteffaniak/filebrowser/commit/c51b0ee9738fa4599b409f47c5bf820ef31b4fe1"}], "affected": [{"vendor": "gtsteffaniak", "product": "filebrowser", "versions": [{"version": "< 1.1.3-stable", "status": "affected"}, {"version": ">= 1.2.0-beta, < 1.2.6-beta", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T02:24:48.357Z"}, "descriptions": [{"lang": "en", "value": "FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue."}], "source": {"advisory": "GHSA-8vrh-3pm2-v4v6", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T17:11:11.814607Z", "id": "CVE-2026-27611", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T17:11:18.122Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27611", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T17:11:11.814607Z"}}}], "references": [{"url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T17:10:38.672Z"}}], "cna": {"title": "FileBrowser Quantum: Password Protection Not Enforced on Shared File Links", "source": {"advisory": "GHSA-8vrh-3pm2-v4v6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "gtsteffaniak", "product": "filebrowser", "versions": [{"status": "affected", "version": "< 1.1.3-stable"}, {"status": "affected", "version": ">= 1.2.0-beta, < 1.2.6-beta"}]}], "references": [{"url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6", "name": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/gtsteffaniak/filebrowser/commit/c51b0ee9738fa4599b409f47c5bf820ef31b4fe1", "name": "https://github.com/gtsteffaniak/filebrowser/commit/c51b0ee9738fa4599b409f47c5bf820ef31b4fe1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T02:24:48.357Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27611", "state": "PUBLISHED", "dateUpdated": "2026-02-27T17:11:18.122Z", "dateReserved": "2026-02-20T19:43:14.602Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-25T02:24:48.357Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gtsteffaniak:filebrowser_quantum:*:*:*:*:*:*:*:*", "matchCriteriaId": "4375D364-0CCA-4F97-AEFA-4EE4D8F5646E", "versionEndExcluding": "1.1.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:gtsteffaniak:filebrowser_quantum:*:*:*:*:*:*:*:*", "matchCriteriaId": "4087A9CC-6232-4DA2-96D5-0F5B86D7EFCD", "versionEndExcluding": "1.2.6", "versionStartIncluding": "1.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gtsteffaniak:filebrowser_quantum:1.1.3:beta:*:*:*:*:*:*", "matchCriteriaId": "9000A111-4C0C-4FC1-A3B4-C5BDB2C5AFE7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue."}], "id": "CVE-2026-27611", "lastModified": "2026-02-27T19:12:25.640", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-25T03:16:05.463", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/gtsteffaniak/filebrowser/commit/c51b0ee9738fa4599b409f47c5bf820ef31b4fe1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-288"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.3-stable)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.2.0-beta,1.2.6-beta)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "filebrowser", "source": "cna", "vendor": "gtsteffaniak"}, "product": "filebrowser", "vendor": "gtsteffaniak"}], "analysis": {"en": {"generated_at": "2026-04-17T15:30:49.860901+00:00", "value": {"mitigation_remediation": ["Apply the latest patched release of FileBrowser Quantum (1.1.3\u2011stable or later, or 1.2.6\u2011beta or later).", "Revoke any share links created before the patch to remove exposed direct download URLs.", "Adjust the share API to enforce password verification and strip direct download links from responses. (In line with CWE\u2011287 remediation.)", "Enable logging and monitoring of share link access to detect unauthorized downloads."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized File Download Leading to Confidentiality Breach"}, "threat_synthesis": {"affected_systems": "The vulnerability affects gtsteffaniak's FileBrowser Quantum. Versions prior to 1.1.3\u2011stable on the stable branch and before 1.2.6\u2011beta on the beta branch are susceptible. The problem is resolved in those releases and all newer versions.", "description_and_impact": "FileBrowser Quantum lets users share files with password protection, but the API mistakenly exposes a direct download URL in the share details. A recipient who merely has the share link can download the file without providing the password, effectively bypassing the intended authorization. This flaw allows an unauthenticated attacker to obtain confidential files and poses a risk of data leakage. The issue aligns with CWE\u2011200 (Information Exposure), CWE\u2011287 (Improper Authentication), and CWE\u2011288 (Improper Permission Assignment).", "risk_and_exploitability": "With a CVSS score of 7.1 the severity is high; however, the EPSS score is less than 1%, indicating a low likelihood of exploitation at present. The flaw is not listed in the CISA KEV catalog. The attack vector is inferred to be a web\u2011API IDOR that returns a direct download link to any user who possesses the share URL, requiring no additional authentication."}}}}, "created": "2026-02-25T11:35:01.287346+00:00", "updated": "2026-04-17T15:45:15.880727+00:00", "vendors": ["gtsteffaniak", "gtsteffaniak$PRODUCT$filebrowser"]}