CVE-2026-54094
Deferred Deferred - Pending Action
Symbolic Link Following in File Browser

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.14, it does not stop the HTTP file handlers from following symbolic links before they open, serve, write, share, or list a file. As a result, a scoped user β€” and in some cases an unauthenticated public-share recipient β€” can cross the intended scope boundary by following a symlink whose path is lexically inside their scope but whose target is outside it. This vulnerability is fixed in 2.63.14.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-54094
EUVD
EUVD-2026-39503
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
filebrowser file_browser to 2.63.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54094 is a vulnerability in File Browser versions up to 2.63.13 where the application does not properly prevent HTTP file handlers from following symbolic links (symlinks) before performing file operations such as opening, serving, writing, sharing, or listing files.

This means that a scoped user or, in some cases, an unauthenticated public-share recipient can bypass the intended access boundaries by using symlinks that appear to be inside their allowed directory scope but actually point to files or directories outside that scope.

The vulnerability arises because the application enforces path restrictions based on the lexical path but resolves symlinks only after these checks, allowing unauthorized access to files outside the user's permitted area.

Two variants exist: one where the symlink is the final path component pointing outside the scope, and another where a symlinked directory ancestor allows access to files outside the scope.

This issue affects multiple file operations including reading, writing, uploading, sharing, and public downloads.

The vulnerability has a high severity score (CVSS 7.5) because it can lead to unauthorized disclosure of sensitive data without requiring any privileges or user interaction.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to access, read, or write files outside their intended directory scope within the File Browser application.

Such unauthorized access can lead to exposure of sensitive or confidential information, modification of files, or unauthorized uploads and downloads.

Because exploitation does not require any privileges or user interaction, attackers can easily leverage this flaw to compromise data confidentiality.

Detection Guidance

Detection of this vulnerability involves identifying whether symbolic links within the File Browser's scoped directories point to files or directories outside the intended scope. Since the vulnerability allows scoped users or public-share recipients to access files outside their scope via symlinks, checking for such symlinks is key.

You can use filesystem commands to find symbolic links inside the File Browser's directories and verify if their targets lie outside the allowed scope.

  • Use the command `find /path/to/filebrowser/root -type l -exec ls -l {} +` to list all symbolic links and their targets.
  • Manually or programmatically check if the symlink targets resolve outside the intended directory scope.
  • Monitor HTTP requests to the File Browser for unusual file access patterns that involve paths with symbolic links.
Mitigation Strategies

The immediate mitigation step is to upgrade File Browser to version 2.63.14 or later, where this vulnerability is fixed.

Until the upgrade can be performed, restrict or disable the use of symbolic links within the File Browser's scoped directories to prevent users from exploiting symlink traversal.

Additionally, review and tighten access controls on shared directories and public shares to limit exposure.

Compliance Impact

The vulnerability CVE-2026-54094 allows unauthorized users to access files outside their intended scope by exploiting symbolic links, potentially exposing sensitive data.

Such unauthorized access to sensitive or confidential information can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls on data confidentiality and access.

Because the vulnerability enables confidentiality breaches without requiring privileges or user interaction, it poses a significant risk to compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54094. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart