CVE-2026-35606
Received Received - Intake
Unauthorized File Read via Permission Bypass in File Browser

Publication date: 2026-04-07

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the resourceGetHandler in http/resource.go returns full text file content without checking the Perm.Download permission flag. All three other content-serving endpoints (/api/raw, /api/preview, /api/subtitle) correctly verify this permission before serving content. A user with download: false can read any text file within their scope through two bypass paths. This vulnerability is fixed in 2.63.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35606
EUVD
EUVD-2026-19780
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
filebrowser filebrowser to 2.63.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-35606 is a moderate severity vulnerability in the File Browser project affecting versions up to 2.62.2. The issue occurs in the resourceGetHandler function, which serves full text file content via the /api/resources endpoint without verifying if the user has the Perm.Download permission.

While other endpoints (/api/raw, /api/preview, /api/subtitle) correctly check this permission and deny access when download permission is false, the /api/resources endpoint does not. This allows a user without download permission to read any text file within their scope by either requesting the resource normally and extracting the content from the JSON response or by using the X-Encoding header to receive raw file content.

The root cause is that the handler always loads and returns text content regardless of download permissions, and the code path handling the X-Encoding header also returns raw bytes without permission checks. This is classified as a missing authorization weakness (CWE-862). The vulnerability was fixed in version 2.63.1 by adding proper permission checks.

Impact Analysis

This vulnerability allows users who do not have download permissions to read the full contents of text files within their authorized scope. This can lead to unauthorized disclosure of sensitive information.

  • Exposure of sensitive data such as source code.
  • Leakage of configuration files.
  • Access to credentials and API tokens.

Although path-based authorization is still enforced, the bypass of the download permission check means that users can access file contents they should not be able to download, potentially leading to data breaches or information leakage.

Detection Guidance

This vulnerability can be detected by attempting to access the /api/resources endpoint with a user account that has the download permission set to false and checking if full text file content is returned despite the lack of permission.

Specifically, you can test two bypass paths:

  • Request /api/resources normally and inspect the JSON response's content field for full text file content.
  • Request /api/resources with the HTTP header 'X-Encoding: true' to receive raw file content as application/octet-stream.

If either method returns file content despite the user lacking download permission, the vulnerability is present.

In contrast, requests to /api/raw with the same user should return HTTP 202 Accepted with no content if the permission check is enforced correctly.

Example curl commands to test this might be:

  • curl -i -H "Authorization: Bearer <token>" https://<filebrowser-host>/api/resources?path=<file-path>
  • curl -i -H "Authorization: Bearer <token>" -H "X-Encoding: true" https://<filebrowser-host>/api/resources?path=<file-path>
  • curl -i -H "Authorization: Bearer <token>" https://<filebrowser-host>/api/raw?path=<file-path>

Replace <token>, <filebrowser-host>, and <file-path> with appropriate values for your environment.

Mitigation Strategies

The immediate mitigation step is to upgrade File Browser to version 2.63.1 or later, where this vulnerability is fixed.

The fix ensures that the /api/resources endpoint properly checks the Perm.Download permission flag before serving full text or raw file content, returning HTTP 202 Accepted when download permission is denied.

Until the upgrade can be applied, consider restricting access to the /api/resources endpoint or monitoring and blocking suspicious requests that attempt to exploit this bypass.

Additionally, review user permissions to ensure that only trusted users have download permissions, minimizing exposure.

Compliance Impact

This vulnerability allows users without download permission to read the full contents of text files within their authorized scope, potentially exposing sensitive data such as source code, configuration files, credentials, and API tokens.

Such unauthorized access to sensitive information can lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

Because the vulnerability bypasses permission checks, it increases the risk of data exposure, which may result in violations of data privacy and security requirements mandated by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35606. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart