Primary

Context

File Browser Share Link Authorization Bypass Vulnerability

Vulnerability

Patched

A vulnerability in File Browser prior to version 2.63.1 allows unauthorized access to share links even after the admin has revoked the user's sharing permissions. The issue arises because the public share download handler does not verify the current permissions of the share owner, leaving links created by users with revoked permissions accessible to unauthenticated users.

Impact

This vulnerability allows unauthorized users to access shared links that should have been revoked, creating a false sense of security for administrators.

Reproduction

To reproduce this vulnerability, log in as an admin and create a user with sharing permissions. Have that user create a share link, then revoke their sharing permissions. While the user will be unable to create new shares, the old share link will still be accessible to unauthenticated users.

Remediation

Users can update to File Browser version 2.63.1 or later, where this vulnerability has been fixed.

Added: Apr 7, 2026, 6:13 PM

Updated: Apr 7, 2026, 6:13 PM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

5.0

exploitability

8.5

remediation

7.7

relevance

5.4

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

5.0

exploitability

8.5

remediation

7.7

relevance

5.4

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

File Browser Share Link Authorization Bypass Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

File Browser

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating