Executive Summary

CVE-2026-54091 is a vulnerability in File Browser versions 2.63.5 and earlier related to incorrect access control in public directory shares.

The issue arises because the public share handlers rebase the share owner's filesystem root to the shared directory and then evaluate descendant paths against the owner's global and per-user rules using the rebased relative path instead of the original path relative to the owner's scope.

As a result, an attacker who knows a public directory share URL can access files and subdirectories that the owner explicitly blocked with rules, as long as those blocked paths are located underneath the shared directory.

This can be exploited through unauthenticated public endpoints like GET /api/public/share/* and GET /api/public/dl/*, allowing unauthorized disclosure of sensitive files.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information.

• Attackers can access files and subdirectories that were explicitly blocked by the owner.
• Sensitive data such as configuration files, backups, or private project directories may be exposed.
• The vulnerability is exploitable without authentication, user interaction, or privileges.

Overall, this can compromise confidentiality and potentially lead to data breaches.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring requests to the public share endpoints of File Browser, specifically the unauthenticated GET requests to /api/public/share/* and /api/public/dl/*. Anomalous access to files or directories that should be blocked by owner rules but are accessible through these endpoints indicates exploitation attempts.

To detect potential exploitation, you can analyze web server or application logs for unusual GET requests to these API paths that access sensitive or blocked files.

Example commands to detect suspicious access attempts might include:

• Using grep on access logs to find requests to the vulnerable endpoints: grep -E 'GET /api/public/(share|dl)/' /path/to/filebrowser/access.log
• Filtering for requests accessing sensitive or blocked paths under the shared directory: grep -E 'GET /api/public/(share|dl)/.*(config|backup|private)' /path/to/filebrowser/access.log
• Using network monitoring tools to capture HTTP traffic and filter for GET requests to /api/public/share/* or /api/public/dl/* endpoints.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade File Browser to version 2.63.6 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, consider restricting access to the public share API endpoints (/api/public/share/* and /api/public/dl/*) via network controls such as firewall rules or reverse proxy configurations to limit unauthenticated access.

Review and tighten access control rules and monitor logs for suspicious activity to detect potential exploitation attempts.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated attackers to bypass access control rules and access files and subdirectories that were explicitly blocked by the owner within a shared directory. Such unauthorized disclosure of sensitive files, configuration files, backups, or private project directories can lead to exposure of confidential data.

The unauthorized disclosure of sensitive or confidential information due to this vulnerability could result in non-compliance with data protection regulations and standards such as GDPR or HIPAA, which require strict controls on access to personal and sensitive data.

Therefore, exploitation of this vulnerability may lead to violations of these regulations by exposing protected data without proper authorization or audit controls.

Useful 0 Not Useful 0