CVE-2026-30933
Information Disclosure in FileBrowser Quantum Password-Protected Shares
Publication date: 2026-03-10
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| filebrowser | filebrowser | to 1.2.9 (inc) |
| filebrowser | filebrowser | 1.2.1 |
| filebrowser | filebrowser | 1.3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-602 | The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30933 is an incomplete remediation of a previous vulnerability (CVE-2026-27611) in FileBrowser Quantum, a web-based file manager. The issue allows unauthorized access to password-protected shared files through the public API endpoint `/public/api/share/info`.
Technically, the vulnerability occurs because the tokenized download URLs, which include a bearer token for authentication, are stored persistently and returned by the public API without clearing the sensitive token information. This means that even password-protected shares expose a download URL containing a valid token.
An attacker can use this exposed tokenized URL to bypass password protection and download files without authentication.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to files that are supposed to be protected by passwords. An unauthenticated attacker can bypass password protection by obtaining the tokenized download URL from the public API endpoint.
- Authentication bypass
- Unauthorized file access
- Confidentiality compromise of sensitive files
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the public API endpoint `/public/api/share/info` discloses tokenized download URLs for password-protected shares.'}, {'type': 'paragraph', 'content': 'A practical detection method is to perform a curl request to the endpoint with a share hash and inspect the JSON response for the presence of a `downloadURL` containing a token query parameter.'}, {'type': 'list_item', 'content': 'Use the command: curl -s "http://<filebrowser-host>/public/api/share/info?hash=<share-hash>" | grep downloadURL'}, {'type': 'list_item', 'content': 'If the response JSON includes a `downloadURL` with a token query parameter despite the share being password protected (`"hasPassword": true`), the vulnerability is present.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to upgrade FileBrowser Quantum to a fixed version where the vulnerability is patched.
- Upgrade to version 1.3.1-beta or later.
- Alternatively, upgrade to version 1.2.2-stable or later if using the stable branch.
The patch sanitizes the `DownloadURL` field by clearing it before returning the JSON response and ensures tokenized URLs are generated only after successful password validation.