CVE-2026-27611

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/gtsteffaniak/filebrowser/commit/c51b0ee9738fa4599b409f47c5bf820ef31b4fe1	Patch
https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6	Exploit Vendor Advisory
https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gtsteffaniak:filebrowser_quantum::::::::
	cpe:2.3:a:gtsteffaniak:filebrowser_quantum::::::::
	cpe:2.3:a:gtsteffaniak:filebrowser_quantum:1.1.3:beta::::::

History

No history.

Information

Published : 2026-02-25 03:16

Updated : 2026-02-27 19:12

NVD link : CVE-2026-27611

Mitre link : CVE-2026-27611

CVE.ORG link : CVE-2026-27611

JSON object : View

Products Affected

gtsteffaniak

filebrowser_quantum

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-287

Improper Authentication

CWE-288

Authentication Bypass Using an Alternate Path or Channel

{"id": "CVE-2026-27611", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-25T03:16:05.463", "references": [{"url": "https://github.com/gtsteffaniak/filebrowser/commit/c51b0ee9738fa4599b409f47c5bf820ef31b4fe1", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-288"}]}], "descriptions": [{"lang": "en", "value": "FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue."}, {"lang": "es", "value": "FileBrowser Quantum es un gestor de archivos gratuito, autoalojado y basado en web. Antes de las versiones 1.1.3-stable y 1.2.6-beta, cuando los usuarios comparten archivos protegidos con contrase\u00f1a, el destinatario puede omitir completamente la contrase\u00f1a y aun as\u00ed descargar el archivo. Esto ocurre porque la API devuelve un enlace de descarga directa en los detalles del recurso compartido, que es accesible para cualquiera con SOLO EL ENLACE COMPARTIDO, incluso sin la contrase\u00f1a. Las versiones 1.1.3-stable y 1.2.6-beta solucionan el problema."}], "lastModified": "2026-02-27T19:12:25.640", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gtsteffaniak:filebrowser_quantum:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4375D364-0CCA-4F97-AEFA-4EE4D8F5646E", "versionEndExcluding": "1.1.3"}, {"criteria": "cpe:2.3:a:gtsteffaniak:filebrowser_quantum:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4087A9CC-6232-4DA2-96D5-0F5B86D7EFCD", "versionEndExcluding": "1.2.6", "versionStartIncluding": "1.2.0"}, {"criteria": "cpe:2.3:a:gtsteffaniak:filebrowser_quantum:1.1.3:beta:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9000A111-4C0C-4FC1-A3B4-C5BDB2C5AFE7"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}