File Browser Permission Bypass Vulnerability in Public Share Download Flow

A permission enforcement bypass vulnerability has been identified in File Browser versions through 2.61.0. This vulnerability allows users who are denied download privileges but granted share privileges to exfiltrate file content by creating public share links. While the direct raw download endpoint properly enforces download permissions, the share creation endpoint only checks for share privileges. Consequently, any authenticated user with share access can bypass download restrictions by sharing a file and retrieving it via the unauthenticated public download URL. This issue undermines data-loss prevention and role-separation policies, as restricted users can publicly distribute files they are blocked from downloading directly.

Impact

Exploitation of this vulnerability allows for unauthorized access to file content, bypassing established download restrictions and enabling data exfiltration to unauthenticated users. This could lead to unintentional data exposure, especially in environments where file confidentiality is critical.

Reproduction

To reproduce this vulnerability, create a non-admin user with share privileges enabled and download privileges disabled. After logging in as this user, upload a PDF file and verify that direct raw downloads are blocked. Next, create a share link for the same file, which should be successful. Finally, use the public download endpoint with the shared file's hash to retrieve the file content, which will be returned successfully, demonstrating the bypassed restriction.

Remediation

Users can upgrade to File Browser version 2.62.0 or later, where this vulnerability has been fixed.