CVE-2026-28492 Overview
CVE-2026-28492 is a Path Traversal vulnerability affecting File Browser, a web-based file management interface. The vulnerability exists in versions prior to 2.61.0, where the withHashFile middleware in http/public.go incorrectly computes the filesystem root when creating public share links for directories. By using filepath.Dir(link.Path) instead of properly sanitizing the path, the application sets the filesystem root to the parent directory of the shared directory rather than the shared directory itself. This allows any user with a public share link to browse and download files from all sibling directories, resulting in unauthorized information disclosure.
Critical Impact
Unauthorized access to sensitive files and directories beyond the intended shared scope, potentially exposing confidential data to anyone with a public share link.
Affected Products
- File Browser versions prior to 2.61.0
Discovery Timeline
- 2026-03-05 - CVE CVE-2026-28492 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28492
Vulnerability Analysis
This vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw resides in the public share link functionality of File Browser, specifically within the withHashFile middleware implementation. When a user creates a public share link for a directory, the middleware incorrectly calculates the base path for the BasePathFs root filesystem. This miscalculation allows the shared link to provide access to the parent directory instead of the intended shared directory.
The practical impact is significant: an attacker who obtains a public share link can traverse to sibling directories and access files that were never intended to be shared. This could expose sensitive configuration files, user data, credentials, or other confidential information stored in adjacent directories.
Root Cause
The root cause is an improper path calculation in the withHashFile middleware located in http/public.go. When a directory is shared publicly, the code uses filepath.Dir(basePath) to determine the filesystem root. The filepath.Dir() function returns the parent directory of the given path, which inadvertently expands the accessible scope beyond the intended shared directory. The correct approach is to use filepath.Clean(link.Path) to properly sanitize and use the exact shared path as the filesystem root.
Attack Vector
The attack vector is network-based and requires low privileges (a valid public share link). An attacker who obtains or guesses a public share link for any directory can exploit this vulnerability to:
- Access the parent directory of the shared folder
- Browse and enumerate sibling directories
- Download files from any sibling directory
- Potentially access sensitive data that was never intended to be publicly accessible
The vulnerability does not require any user interaction and can be exploited remotely by anyone with access to a public share link.
// Security patch in http/public.go - fix: correctly clean path
filePath := ""
if file.IsDir {
- basePath = filepath.Dir(basePath)
+ basePath = filepath.Clean(link.Path)
filePath = ifPath
}
Source: GitHub Commit Details
Detection Methods for CVE-2026-28492
Indicators of Compromise
- Unexpected access patterns to public share links attempting to traverse to parent or sibling directories
- Web server logs showing requests with path traversal sequences (../) in public share URLs
- Access to files or directories that fall outside the scope of the originally shared directory
- Unusual download activity from public share endpoints accessing multiple directory paths
Detection Strategies
- Monitor File Browser access logs for requests that access paths outside the intended shared directory scope
- Implement web application firewall (WAF) rules to detect path traversal attempts in public share link requests
- Audit public share link usage and compare accessed paths against intended shared directories
- Deploy intrusion detection systems (IDS) with signatures for path traversal patterns targeting file management applications
Monitoring Recommendations
- Enable verbose logging for the File Browser application to capture all public share access attempts
- Set up alerts for access patterns that indicate directory enumeration or traversal behavior
- Regularly review public share links and their access logs for anomalous activity
- Monitor network traffic for unusual data exfiltration patterns from the File Browser server
How to Mitigate CVE-2026-28492
Immediate Actions Required
- Upgrade File Browser to version 2.61.0 or later immediately
- Audit existing public share links and review what data may have been accessible through them
- Consider temporarily disabling public share functionality until the patch is applied
- Review access logs to determine if the vulnerability has been exploited
Patch Information
The vulnerability has been patched in File Browser version 2.61.0. The fix replaces the vulnerable filepath.Dir(basePath) call with filepath.Clean(link.Path), ensuring that the filesystem root is correctly set to the exact shared directory path. Users should upgrade to version 2.61.0 or later by following the official release notes available at the GitHub Release v2.61.0. Additional technical details about the security fix can be found in the GitHub Security Advisory GHSA-mr74-928f-rw69.
Workarounds
- Disable public share functionality entirely until the patch can be applied
- Implement network-level access controls to restrict who can access public share links
- Place sensitive files and directories in isolated storage locations that cannot be siblings to shared directories
- Use a reverse proxy with path validation rules to block requests that attempt to access paths outside shared directories
# Configuration example
# Upgrade File Browser to the patched version
# Using Docker:
docker pull filebrowser/filebrowser:v2.61.0
docker stop filebrowser
docker rm filebrowser
docker run -d --name filebrowser -v /path/to/data:/srv -p 8080:80 filebrowser/filebrowser:v2.61.0
# Or if using a binary installation, download the latest release:
# wget https://github.com/filebrowser/filebrowser/releases/download/v2.61.0/linux-amd64-filebrowser.tar.gz
# tar -xzf linux-amd64-filebrowser.tar.gz
# ./filebrowser version # Verify version 2.61.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
