Compliance Impact

This vulnerability allows previously created public share links to remain accessible to unauthenticated users even after an administrator revokes the share owner's Share and Download permissions.

Such unauthorized access to shared files can lead to exposure of sensitive or personal data, which may violate data protection requirements under regulations like GDPR and HIPAA that mandate strict access controls and revocation of permissions.

Because the system does not properly enforce permission revocation on existing shares, organizations using affected versions of File Browser may face compliance risks related to unauthorized data disclosure.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access to files shared via public links. Even after an administrator revokes a user's Share and Download permissions, the existing share links created by that user remain accessible to anyone without authentication.

• Unauthorized users can access sensitive or confidential files through old share links.
• Administrators may mistakenly believe that revoking permissions disables all sharing capabilities, leading to a false sense of security.
• This can result in data leakage and potential exposure of private information.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-35604 is an authorization vulnerability in the File Browser application versions prior to 2.63.1. When an administrator revokes a user's Share and Download permissions, any existing public share links created by that user remain accessible to unauthenticated users. This happens because the public share download handler does not re-check the share owner's current permissions before allowing access.

Technically, while permission checks are enforced when creating new shares, the handler that processes public share links fails to verify if the share owner still has the required Share and Download permissions. As a result, revoked users' previously created share links remain publicly accessible.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by verifying whether existing public share links remain accessible after revoking a user's Share and Download permissions. Specifically, if a share link created by a user is still accessible publicly without authentication even after the user's permissions have been revoked, the system is vulnerable.

To detect this on your system, you can perform the following steps:

• 1. Identify share links created by users who have had their Share and Download permissions revoked.
• 2. Attempt to access these share links from an unauthenticated session or different browser/incognito mode.
• 3. If the links are accessible without authentication, the vulnerability exists.

While no specific commands are provided in the resources, you can use standard HTTP request tools like curl to test access to share URLs. For example:

• curl -I https://your-filebrowser-domain/path/to/share

If the response status is 200 OK without requiring authentication, it indicates the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the File Browser software to version 2.63.1 or later, where this vulnerability has been fixed.

The fix ensures that the public share download handler re-validates the share owner's current Share and Download permissions before allowing access to existing share links.

Until the upgrade is applied, administrators should be aware that revoking Share and Download permissions does not invalidate existing share links, so sensitive files may remain accessible.

As a temporary workaround, consider manually invalidating or deleting existing share links created by users whose permissions have been revoked.

Useful 0 Not Useful 0