CVE-2026-28492
Received Received - Intake
Directory Traversal in File Browser Allows Unauthorized File Access

Publication date: 2026-03-05

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.0, when a user creates a public share link for a directory, the withHashFile middleware in http/public.go uses filepath.Dir(link.Path) to compute the BasePathFs root. This sets the filesystem root to the parent directory instead of the shared directory itself, allowing anyone with the share link to browse and download files from all sibling directories. This issue has been patched in version 2.61.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-28492
EUVD
EUVD-2026-9881
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
filebrowser filebrowser From 2.0.0 (inc) to 2.61.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-28492 is a path traversal vulnerability in the File Browser project affecting versions prior to 2.61.0. When a user creates a public share link for a directory, the software incorrectly sets the filesystem root to the parent directory of the shared directory instead of the shared directory itself. This happens because the code uses filepath.Dir(link.Path) to compute the root, which moves the root one level up.

As a result, anyone with the public share link can browse and download files from all sibling directories of the shared directory, not just the intended shared directory. This means unauthorized access to files outside the shared folder is possible.

Impact Analysis

This vulnerability can lead to unauthorized information disclosure and improper access control. Specifically, an attacker or unauthorized user with access to a public share link can browse and download sensitive files from directories that were not intended to be shared.

This could expose confidential or private data stored in sibling directories, potentially leading to data breaches or leakage of sensitive information without requiring authentication beyond the share link or share password.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by testing whether public share links allow access to files outside the intended shared directory. Specifically, by attempting to access sibling directories or files outside the shared directory using the public share link endpoints.

You can try accessing the directory listing and file download endpoints with a public share link hash and verify if files outside the shared directory are accessible.

  • Use the endpoint `/api/public/share/{hash}` to check if directory listings include files from sibling directories.
  • Use the endpoint `/api/public/dl/{hash}/path` to attempt downloading files from sibling directories outside the shared directory.

For example, if you have a public share link hash, try commands like:

  • curl -v https://your-filebrowser-domain/api/public/share/{hash}
  • curl -v https://your-filebrowser-domain/api/public/dl/{hash}/../sibling-directory/secret-file.txt

If these commands return files or directory listings outside the intended shared directory, the system is vulnerable.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade File Browser to version 2.61.0 or later, where the issue has been patched.

The patch fixes the path handling by removing the use of `filepath.Dir()` and properly sanitizing the shared directory path, preventing access to sibling directories.

Until you can upgrade, avoid creating public share links for directories or restrict access to trusted users only, as the vulnerability allows unauthorized browsing and downloading of files outside the shared directory.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28492. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart