CVE-2026-28492
Directory Traversal in File Browser Allows Unauthorized File Access
Publication date: 2026-03-05
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| filebrowser | filebrowser | From 2.0.0 (inc) to 2.61.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28492 is a path traversal vulnerability in the File Browser project affecting versions prior to 2.61.0. When a user creates a public share link for a directory, the software incorrectly sets the filesystem root to the parent directory of the shared directory instead of the shared directory itself. This happens because the code uses filepath.Dir(link.Path) to compute the root, which moves the root one level up.
As a result, anyone with the public share link can browse and download files from all sibling directories of the shared directory, not just the intended shared directory. This means unauthorized access to files outside the shared folder is possible.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized information disclosure and improper access control. Specifically, an attacker or unauthorized user with access to a public share link can browse and download sensitive files from directories that were not intended to be shared.
This could expose confidential or private data stored in sibling directories, potentially leading to data breaches or leakage of sensitive information without requiring authentication beyond the share link or share password.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing whether public share links allow access to files outside the intended shared directory. Specifically, by attempting to access sibling directories or files outside the shared directory using the public share link endpoints.
You can try accessing the directory listing and file download endpoints with a public share link hash and verify if files outside the shared directory are accessible.
- Use the endpoint `/api/public/share/{hash}` to check if directory listings include files from sibling directories.
- Use the endpoint `/api/public/dl/{hash}/path` to attempt downloading files from sibling directories outside the shared directory.
For example, if you have a public share link hash, try commands like:
- curl -v https://your-filebrowser-domain/api/public/share/{hash}
- curl -v https://your-filebrowser-domain/api/public/dl/{hash}/../sibling-directory/secret-file.txt
If these commands return files or directory listings outside the intended shared directory, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade File Browser to version 2.61.0 or later, where the issue has been patched.
The patch fixes the path handling by removing the use of `filepath.Dir()` and properly sanitizing the shared directory path, preventing access to sibling directories.
Until you can upgrade, avoid creating public share links for directories or restrict access to trusted users only, as the vulnerability allows unauthorized browsing and downloading of files outside the shared directory.