CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-27611

The 'Secure' Share That Wasn't: Bypassing FileBrowser Quantum

Alon Barad
Alon Barad
Software Engineer

Feb 25, 2026·5 min read·87 visits

Executive Summary (TL;DR)

A Broken Access Control vulnerability in FileBrowser Quantum allowed attackers to bypass password protection on shared files. The `/public/api/shareinfo` endpoint leaked the full file metadata, including the secret download token, in its JSON response. Attackers could extract this token to download 'protected' files without authentication.

FileBrowser Quantum, a popular self-hosted file management solution, suffered from a critical logic flaw in its sharing mechanism. Intended to protect files with passwords, the application inadvertently leaked the authentication tokens required to bypass that very protection. By simply querying a metadata API endpoint, an attacker could retrieve a direct download URL for any shared file—password protected or not—rendering the security controls purely cosmetic.

The Hook: Trust, but Verify... Nothing?

We all love self-hosted software. There is something deeply satisfying about spinning up a Docker container, pointing a reverse proxy at it, and knowing you own your data. FileBrowser Quantum is one of those darlings of the homelab community—a sleek, fast way to manage files over the web.

One of its core features is the ability to share files with outsiders. You generate a link, slap a password on it, and send it off. You trust the software to act as the bouncer, checking credentials before letting anyone into the VIP room.

But in versions prior to 1.1.3-stable, that bouncer was essentially asleep at the door. Worse, he wasn't just sleeping; he was taping the VIP wristbands to the outside of the club. CVE-2026-27611 isn't some complex memory corruption or a race condition that requires nanosecond precision. It is a classic, painful case of the backend oversharing information with the frontend—a vulnerability class that continues to haunt modern web applications.

The Flaw: The Chatty API

To understand this vulnerability, we have to look at how modern Single Page Applications (SPAs) talk to their backends. When you visit a password-protected share link (e.g., https://files.example.com/share/AbCdEf), the frontend needs to know a few things before it renders the page. It asks the backend: "What is this file? Does it have a title? And most importantly, does it require a password?"

The backend answers this via the /public/api/shareinfo endpoint. In a secure implementation, this endpoint should return a minimal set of data: the filename, a flag saying passwordRequired: true, and maybe a checksum.

However, the developers of FileBrowser Quantum took a shortcut. Instead of creating a sanitized "Safe for Public" struct, they serialized the entire internal CommonShare object and sent it down the wire. This object contained everything the database knew about the share—including the downloadURL and the high-entropy token used to authorize the download. The frontend code was polite enough to ignore this token and show a password prompt, but an attacker with curl has no such manners.

The Code: Serialization Sins

Let's look at the smoking gun. The vulnerability lived in the shareInfoHandler. It took the hash from the URL and looked up the share details.

The Vulnerable Logic (Pseudo-code):

func shareInfoHandler(w http.ResponseWriter, r *http.Request) {
    hash := r.URL.Query().Get("hash")
    share, err := storage.GetShareByHash(hash)
    
    // CRITICAL MISTAKE:
    // The entire 'share' object is marshaled to JSON.
    // This includes internal fields like RealPath, Source, and Token.
    json.NewEncoder(w).Encode(share)
}

Because Go's JSON marshaler exports all public fields by default, and the CommonShare struct likely didn't have json:"-" tags on the sensitive fields, the API response looked something like this:

{
  "hash": "abcdef123456",
  "isPasswordProtected": true,
  "expiry": "2026-12-31",
  "downloadURL": "/api/raw?token=mz9...SecretToken...x1",
  "source": "/mnt/user_data/tax_returns/2025.pdf"
}

The fix, applied in commit c51b0ee, was to explicitly sanitize this object before encoding it. The developers effectively manually zeroed out the sensitive fields (Source, Path, and the generated link) ensuring only the metadata necessary for the UI was transmitted.

The Exploit: Asking Nicely

Exploiting this is trivially easy. You don't need Metasploit; you need a web browser's Developer Tools or a terminal.

Scenario: Alice shares a sensitive document with Bob, protected by a strong password. She sends Bob the link: https://quantum.local/share/S3cr3tH4sh.

Step 1: Reconnaissance Eve intercepts the link. She visits it in her browser and sees a password prompt. She doesn't know the password.

Step 2: The Bypass Eve opens her terminal and queries the API directly, using the hash from the URL.

curl -s "https://quantum.local/public/api/shareinfo?hash=S3cr3tH4sh" | jq

Step 3: Looting The server replies with the JSON blob we saw earlier. Eve spots the downloadURL parameter. She constructs her final download command, bypassing the password check entirely:

curl -O "https://quantum.local/api/raw?token=mz9...SecretToken...x1"

The server validates the token (which is valid!) and serves the file. The password protection logic was entirely client-side, relying on the user to be "honest" enough to not look at the hidden API response.

The Impact: Broken Promises

The impact here is a complete loss of confidentiality for shared files. Any file that was shared with the expectation of password protection is effectively public to anyone who possesses the share link.

This is particularly dangerous because users think they are secure. They might share PII, credentials, or backup archives over these links, believing the password provides a layer of encryption or access control. It does not.

Furthermore, because the API response often leaked internal file paths (e.g., /mnt/data/users/admin/passwords.txt), this vulnerability also serves as an information disclosure primitive, revealing the directory structure of the host server.

The Fix: Shutting the Door

The remediation is straightforward: Update immediately.

If you are running FileBrowser Quantum versions prior to 1.1.3-stable or between 1.2.0-beta and 1.2.6-beta, you are vulnerable.

> [!WARNING] > Simply updating is not enough.

Because the tokens for existing shares were already generated and potentially exposed (e.g., logged in proxy logs, browser history, or indexed by bots if the link was public), you must regenerate your share links. The update fixes the code preventing future leaks, but it does not necessarily invalidate the tokens that were already leaked. Go into your dashboard, delete existing shares, and create new ones. This will generate fresh tokens that the patched API will essentially refuse to disclose.

Official Patches

FileBrowser QuantumPrimary fix commit implementing field sanitization

Fix Analysis (2)

Technical Appendix

CVSS Score
7.1/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
EPSS Probability
0.04%
Top 88% most exploited

Affected Systems

FileBrowser Quantum < 1.1.3-stableFileBrowser Quantum 1.2.0-beta to < 1.2.6-beta

Affected Versions Detail

Product
Affected Versions
Fixed Version
FileBrowser Quantum
FileBrowser Quantum
< 1.1.3-stable1.1.3-stable
FileBrowser Quantum
FileBrowser Quantum
1.2.0-beta - 1.2.5-beta1.2.6-beta
AttributeDetail
CWE IDCWE-200 / CWE-288
Attack VectorNetwork (API)
CVSS v4.07.1 (High)
ImpactConfidentiality Loss
Exploit StatusTrivial / PoC Available
EPSS Score0.00041

MITRE ATT&CK Mapping

T1552Unsecured Credentials
Credential Access
T1190Exploit Public-Facing Application
Initial Access
T1078Valid Accounts
Initial Access
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor

The application exposes sensitive information (access tokens) to an unauthorized actor, allowing authentication bypass.

Known Exploits & Detection

Internal AnalysisLogic bypass using standard HTTP client tools (curl/browser)

Vulnerability Timeline

Patch commits pushed to repository
2026-02-22
CVE-2026-27611 Published
2026-02-25
GitHub Security Advisory Released
2026-02-25

References & Sources

  • [1]GitHub Advisory: GHSA-8vrh-3pm2-v4v6
  • [2]OffSeq Radar Threat Analysis

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 5 hours ago•CVE-2025-6965
7.7

CVE-2025-6965: Remote Code Execution via Integer Truncation in SQLite Aggregate Parser

An integer truncation vulnerability (CWE-197) exists in SQLite before version 3.50.2 during the processing of aggregate queries with more than 32,767 distinct column references. This causes an internal 32-bit counter to truncate to a signed 16-bit integer, producing negative values that cause out-of-bounds heap operations in release builds.

Amit Schendel
Amit Schendel
7 views•6 min read
•about 21 hours ago•CVE-2026-47291
9.8

CVE-2026-47291: Remote Code Execution in Windows HTTP.sys Kernel Driver

An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.

Amit Schendel
Amit Schendel
15 views•8 min read
•about 23 hours ago•CVE-2026-11822
7.8

CVE-2026-11822: Memory Corruption and Buffer Overflow in SQLite FTS5 Extension

A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.

Amit Schendel
Amit Schendel
7 views•5 min read
•1 day ago•CVE-2026-56350
6.3

CVE-2026-56350: SSO Enforcement Bypass in n8n via API Parameter Pollution / Mass Assignment

A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).

Amit Schendel
Amit Schendel
8 views•6 min read
•5 days ago•CVE-2026-55699
6.5

CVE-2026-55699: Arbitrary Directory Deletion via Path Traversal in pnpm globalBinDir Resolver

CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.

Amit Schendel
Amit Schendel
23 views•6 min read
•5 days ago•CVE-2026-55700
7.1

CVE-2026-55700: Path Traversal and Arbitrary File Write in pnpm stage download

A path traversal vulnerability in pnpm stage download allows malicious registries or compromised package manifests to overwrite arbitrary files on the victim's filesystem via unvalidated package name and version fields.

Alon Barad
Alon Barad
16 views•4 min read