CVE-2026-61874
Received Received - Intake

Filebrowser Path Traversal via Share Index Deletion

Vulnerability report for CVE-2026-61874, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: VulnCheck

Description

filebrowser versions before 2.63.17 fail to normalize paths before querying the share index in DeleteWithPathPrefix, allowing authenticated users to leave stale public shares behind. Attackers can delete a shared directory using a trailing-slash path, then recreate the same directory to expose new contents through the dormant public share URL.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
filebrowser filebrowser to 2.63.17 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in filebrowser versions before 2.63.17 where the software fails to normalize directory paths before querying the share index in the DeleteWithPathPrefix function.

When an authenticated user deletes a shared directory using a path with a trailing slash (e.g., /a/), the cleanup process queries the share index with the unnormalized path, causing the exact share entry to be missed and leaving the public share active in storage.

If the directory is later recreated, the stale public share becomes active again, exposing the new directory contents through the old public share URL without requiring authentication.

An attacker with share, download, and delete permissions can exploit this by creating a public share, deleting the directory with a trailing slash, and then accessing the dormant share once the path is recreated.

The root cause is improper path normalization in the share cleanup logic, specifically in the Bolt backend's prefix query handling.

Impact Analysis

This vulnerability can lead to unauthorized exposure of data by allowing stale public shares to remain active even after the shared directory is deleted.

An attacker with low privileges and authenticated access can exploit this issue to expose new contents of a recreated directory through an old public share URL without further authentication.

This means sensitive or private data could be unintentionally exposed to unauthorized users, increasing the risk of data leakage.

The vulnerability has a low severity rating with a CVSS score around 2.3 to 3.1, but it still allows unauthorized data exposure due to incorrect authorization handling.

Detection Guidance

This vulnerability involves stale public shares remaining after deleting a shared directory with a trailing slash. Detection involves checking for public shares that remain active despite the corresponding directories being deleted and recreated.

You can audit your filebrowser share index or database for shares that point to directories which no longer exist or have been recently deleted and recreated. Look specifically for shares with paths that include trailing slashes or inconsistencies in path normalization.

Since the issue is related to path normalization in the DeleteWithPathPrefix function, commands or scripts that query the share index for entries with trailing slashes or unnormalized paths could help identify stale shares.

No specific commands are provided in the resources, but general approaches include:

  • Query the filebrowser database or share index for shares with trailing slashes or paths that do not match existing directories.
  • Monitor logs for delete operations on shared directories using trailing slashes.
  • Use filebrowser API or CLI tools to list active public shares and verify their corresponding directories exist and are properly normalized.
Mitigation Strategies

The immediate mitigation step is to upgrade filebrowser to version 2.63.17 or later, where the vulnerability is fixed by normalizing paths before querying the share index.

Until the upgrade can be applied, avoid deleting shared directories using paths with trailing slashes, as this triggers the bug that leaves stale public shares.

Additionally, review and clean up any stale public shares that may have been left behind by this issue to prevent unauthorized exposure of new directory contents.

Ensure that only trusted authenticated users have share, download, and delete permissions to reduce the risk of exploitation.

Compliance Impact

This vulnerability allows authenticated users to leave stale public shares behind, which can lead to unauthorized exposure of new directory contents through dormant public share URLs without further authentication.

Such unauthorized data exposure could potentially conflict with compliance requirements in standards and regulations like GDPR and HIPAA, which mandate strict controls over access to personal and sensitive data to prevent unauthorized disclosure.

Because the vulnerability enables exposure of data without proper authorization, it may increase the risk of non-compliance with these regulations, especially if sensitive or personal data is involved.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-61874. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart