{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32761", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T18:53:03.533Z", "datePublished": "2026-03-19T23:45:33.784Z", "dateUpdated": "2026-03-21T03:04:15.817Z"}, "containers": {"cna": {"title": "File Browser has an Authorization Policy Bypass in its Public Share Download Flow", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-68j5-4m99-w9w9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-68j5-4m99-w9w9"}, {"name": "https://github.com/filebrowser/filebrowser/commit/09a26166b4f79446e7174c017380f6db45444e32", "tags": ["x_refsource_MISC"], "url": "https://github.com/filebrowser/filebrowser/commit/09a26166b4f79446e7174c017380f6db45444e32"}, {"name": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0"}], "affected": [{"vendor": "filebrowser", "product": "filebrowser", "versions": [{"version": "< 2.62.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T23:45:33.784Z"}, "descriptions": [{"lang": "en", "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and below contain a permission enforcement bypass which allows users who are denied download privileges (perm.download = false) but granted share privileges (perm.share = true) to exfiltrate file content by creating public share links. While the direct raw download endpoint (/api/raw/) correctly enforces the download permission, the share creation endpoint only checks Perm.Share, and the public download handler (/api/public/dl/<hash>) serves file content without verifying that the original file owner has download permission. This means any authenticated user with share access can circumvent download restrictions by sharing a file and then retrieving it via the unauthenticated public download URL. The vulnerability undermines data-loss prevention and role-separation policies, as restricted users can publicly distribute files they are explicitly blocked from downloading directly. This issue has been fixed in version 2.62.0."}], "source": {"advisory": "GHSA-68j5-4m99-w9w9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-21T03:03:41.892908Z", "id": "CVE-2026-32761", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T03:04:15.817Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32761", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-21T03:03:41.892908Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T03:04:11.786Z"}}], "cna": {"title": "File Browser has an Authorization Policy Bypass in its Public Share Download Flow", "source": {"advisory": "GHSA-68j5-4m99-w9w9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "filebrowser", "product": "filebrowser", "versions": [{"status": "affected", "version": "< 2.62.0"}]}], "references": [{"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-68j5-4m99-w9w9", "name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-68j5-4m99-w9w9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/filebrowser/filebrowser/commit/09a26166b4f79446e7174c017380f6db45444e32", "name": "https://github.com/filebrowser/filebrowser/commit/09a26166b4f79446e7174c017380f6db45444e32", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0", "name": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and below contain a permission enforcement bypass which allows users who are denied download privileges (perm.download = false) but granted share privileges (perm.share = true) to exfiltrate file content by creating public share links. While the direct raw download endpoint (/api/raw/) correctly enforces the download permission, the share creation endpoint only checks Perm.Share, and the public download handler (/api/public/dl/<hash>) serves file content without verifying that the original file owner has download permission. This means any authenticated user with share access can circumvent download restrictions by sharing a file and then retrieving it via the unauthenticated public download URL. The vulnerability undermines data-loss prevention and role-separation policies, as restricted users can publicly distribute files they are explicitly blocked from downloading directly. This issue has been fixed in version 2.62.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T23:45:33.784Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32761", "state": "PUBLISHED", "dateUpdated": "2026-03-21T03:04:15.817Z", "dateReserved": "2026-03-13T18:53:03.533Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T23:45:33.784Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*", "matchCriteriaId": "7E5C9E4B-8749-44EA-AB8D-1292D4C9DB65", "versionEndExcluding": "2.62.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and below contain a permission enforcement bypass which allows users who are denied download privileges (perm.download = false) but granted share privileges (perm.share = true) to exfiltrate file content by creating public share links. While the direct raw download endpoint (/api/raw/) correctly enforces the download permission, the share creation endpoint only checks Perm.Share, and the public download handler (/api/public/dl/<hash>) serves file content without verifying that the original file owner has download permission. This means any authenticated user with share access can circumvent download restrictions by sharing a file and then retrieving it via the unauthenticated public download URL. The vulnerability undermines data-loss prevention and role-separation policies, as restricted users can publicly distribute files they are explicitly blocked from downloading directly. This issue has been fixed in version 2.62.0."}, {"lang": "es", "value": "Navegador de Archivos es una interfaz de gesti\u00f3n de archivos para cargar, eliminar, previsualizar, renombrar y editar archivos dentro de un directorio especificado. Las versiones 2.61.0 e inferiores contienen un bypass de aplicaci\u00f3n de permisos que permite a los usuarios a quienes se les deniegan los privilegios de descarga (perm.download = false) pero se les conceden privilegios de compartir (perm.share = true) exfiltrar contenido de archivos mediante la creaci\u00f3n de enlaces de compartici\u00f3n p\u00fablicos. Mientras que el endpoint de descarga directa en bruto (/api/raw/) aplica correctamente el permiso de descarga, el endpoint de creaci\u00f3n de compartici\u00f3n solo verifica Perm.Share, y el gestor de descarga p\u00fablica (/api/public/dl/) sirve contenido de archivos sin verificar que el propietario original del archivo tenga permiso de descarga. Esto significa que cualquier usuario autenticado con acceso de compartici\u00f3n puede eludir las restricciones de descarga compartiendo un archivo y luego recuper\u00e1ndolo a trav\u00e9s de la URL de descarga p\u00fablica no autenticada. La vulnerabilidad socava las pol\u00edticas de prevenci\u00f3n de p\u00e9rdida de datos y de separaci\u00f3n de roles, ya que los usuarios restringidos pueden distribuir p\u00fablicamente archivos que tienen expl\u00edcitamente bloqueada la descarga directa. Este problema ha sido solucionado en la versi\u00f3n 2.62.0."}], "id": "CVE-2026-32761", "lastModified": "2026-03-23T16:56:04.520", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T00:16:17.617", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/filebrowser/filebrowser/commit/09a26166b4f79446e7174c017380f6db45444e32"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-68j5-4m99-w9w9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-639"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.62.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "filebrowser", "source": "cna", "vendor": "filebrowser"}, "product": "filebrowser", "vendor": "filebrowser"}], "analysis": {"en": {"generated_at": "2026-03-23T18:35:15.551432+00:00", "value": {"mitigation_remediation": ["Upgrade File Browser to version 2.62.0 or later, which contains the fix for the share download bypass."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized data exfiltration via unrestricted public download links"}, "threat_synthesis": {"affected_systems": "File Browser, versions 2.61.0 and below are vulnerable. The issue was catalogued under the filebrowser:filebrowser product line. No other vendor or product variants are listed as affected.", "description_and_impact": "Version 2.61.0 and earlier of File Browser allow a permission enforcement bypass that gives users who lack explicit download rights but have share rights the ability to obtain file contents. The interface creates a public share URL and the download handler serves the file without re\u2011checking download permissions, allowing authenticated users to circumvent restrictions. This undermines data\u2011loss prevention and role segregation, exposing sensitive files to unauthorized access.", "risk_and_exploitability": "The CVSS score of 6.5 classifies the vulnerability as moderate severity; EPSS indicates an exceptionally low probability of exploitation (<1\u2009%). The attack vector requires authentication and possession of share privileges, meaning only authorized users can exploit the flaw. Since the exploit does not rely on untrusted input or privilege escalation, the scope is limited to file data exfiltration rather than full system compromise. The lack of a CISA KEV listing further reflects the relatively low exploit likelihood."}}}}, "created": "2026-03-20T08:54:14.187824+00:00", "updated": "2026-03-25T14:10:29.704139+00:00", "vendors": ["filebrowser", "filebrowser$PRODUCT$filebrowser"]}