Compliance Impact

This vulnerability can lead to unintentional exposure of sensitive files by bypassing access control mechanisms. Such unauthorized disclosure of sensitive or personal data may result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and health information.

Because the vulnerability allows public access to files that were not intended to be shared, organizations using affected versions of FileBrowser risk violating confidentiality and data protection requirements mandated by these standards.

Remediation by updating to FileBrowser version 2.63.7 or later is necessary to restore proper access control and help maintain compliance with such regulations.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-54096 is a vulnerability in FileBrowser versions 2.63.6 and earlier where an authenticated user can create a public share for a file path that does not yet exist. The system stores this share without verifying if the file actually exists at the time.

Later, when a file is created at that previously shared path, the public share automatically becomes valid and exposes the new file through a public download link. This bypasses the intended security check that shares should only grant access to existing files at the time of share creation.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unintentional exposure of sensitive files. Because a public share can be created in advance for a non-existent file path, any file later created at that path becomes publicly accessible without proper authorization.

It effectively bypasses access control mechanisms, potentially allowing unauthorized users to download files that should be protected.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the creation of public shares for non-existent file paths that later become valid when files are created at those paths. Detection involves identifying such pre-created public shares that point to files which did not exist at the time of share creation.

To detect this on your system, you can audit the FileBrowser API usage logs for POST requests to endpoints like `/api/share/<path>` where the path did not exist at the time of the request. Additionally, monitoring GET requests to `/api/public/dl/<hash>` that serve files created after the share was made can indicate exploitation.

Specific commands depend on your logging and monitoring setup, but generally you can use tools like `grep` or `jq` to search logs for suspicious POST requests creating shares on non-existent paths and subsequent GET requests accessing those shares.

• Example command to search logs for share creation requests: `grep 'POST /api/share/' /path/to/filebrowser/logs`
• Example command to check for public download accesses: `grep 'GET /api/public/dl/' /path/to/filebrowser/logs`

Correlate timestamps between share creation and file creation events to identify potentially vulnerable shares.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and recommended mitigation is to update FileBrowser to version 2.63.7 or later, where this vulnerability has been fixed.

Until the update can be applied, restrict authenticated users' ability to create public shares for paths that do not currently exist, if possible, through configuration or access control policies.

Additionally, monitor and audit existing public shares to identify and remove any shares created for non-existent paths that could expose sensitive files once those files are created.

Useful 0 Not Useful 0