CVE-2026-30933
Received Received - Intake
Information Disclosure in FileBrowser Quantum Password-Protected Shares

Publication date: 2026-03-10

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30933
EUVD
EUVD-2026-10543
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
filebrowser filebrowser to 1.2.9 (inc)
filebrowser filebrowser 1.2.1
filebrowser filebrowser 1.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-602 The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30933 is an incomplete remediation of a previous vulnerability (CVE-2026-27611) in FileBrowser Quantum, a web-based file manager. The issue allows unauthorized access to password-protected shared files through the public API endpoint `/public/api/share/info`.

Technically, the vulnerability occurs because the tokenized download URLs, which include a bearer token for authentication, are stored persistently and returned by the public API without clearing the sensitive token information. This means that even password-protected shares expose a download URL containing a valid token.

An attacker can use this exposed tokenized URL to bypass password protection and download files without authentication.

Impact Analysis

This vulnerability can lead to unauthorized access to files that are supposed to be protected by passwords. An unauthenticated attacker can bypass password protection by obtaining the tokenized download URL from the public API endpoint.

  • Authentication bypass
  • Unauthorized file access
  • Confidentiality compromise of sensitive files
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the public API endpoint `/public/api/share/info` discloses tokenized download URLs for password-protected shares.'}, {'type': 'paragraph', 'content': 'A practical detection method is to perform a curl request to the endpoint with a share hash and inspect the JSON response for the presence of a `downloadURL` containing a token query parameter.'}, {'type': 'list_item', 'content': 'Use the command: curl -s "http://<filebrowser-host>/public/api/share/info?hash=<share-hash>" | grep downloadURL'}, {'type': 'list_item', 'content': 'If the response JSON includes a `downloadURL` with a token query parameter despite the share being password protected (`"hasPassword": true`), the vulnerability is present.'}] [1]

Mitigation Strategies

The immediate mitigation is to upgrade FileBrowser Quantum to a fixed version where the vulnerability is patched.

  • Upgrade to version 1.3.1-beta or later.
  • Alternatively, upgrade to version 1.2.2-stable or later if using the stable branch.

The patch sanitizes the `DownloadURL` field by clearing it before returning the JSON response and ensures tokenized URLs are generated only after successful password validation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30933. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart