CVE-2026-30933 Overview
CVE-2026-30933 is an Information Disclosure vulnerability in FileBrowser Quantum, a free, self-hosted, web-based file manager. This vulnerability represents an incomplete remediation of CVE-2026-27611, where password protected shares continue to disclose tokenized download URLs via the /public/api/share/info endpoint. The flaw allows unauthenticated attackers to obtain sensitive file access tokens, potentially bypassing the intended password protection mechanism for shared files.
Critical Impact
Password protected file shares can be accessed without authentication by obtaining exposed tokenized downloadURL values from the public API endpoint.
Affected Products
- FileBrowser Quantum versions prior to 1.3.1-beta
- FileBrowser Quantum versions prior to 1.2.2-stable
Discovery Timeline
- 2026-03-10 - CVE CVE-2026-30933 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-30933
Vulnerability Analysis
This vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The issue stems from an incomplete fix for a previous vulnerability (CVE-2026-27611) that was intended to protect password-protected file shares from unauthorized access.
The core problem lies in the API endpoint /public/api/share/info, which continues to expose tokenized download URLs even when shares are configured with password protection. This means that while the application prompts users for a password to access shared content through the normal user interface, the underlying API leaks the necessary token information that can be used to construct direct download links.
An attacker with knowledge of a share's existence can query this public API endpoint without providing any credentials and retrieve the tokenized downloadURL. This token can then be used to directly access the shared files, completely circumventing the password protection mechanism that file owners believed was securing their content.
Root Cause
The vulnerability originates from improper access control in the share information API endpoint. When the original CVE-2026-27611 was remediated, the fix failed to properly sanitize or restrict the response data for password-protected shares. The API continues to include the downloadURL field with a valid access token in its response, regardless of whether the share requires password authentication.
This represents a classic case of incomplete security fix where the visible user interface behavior was corrected (showing password prompts) but the underlying API data exposure was not fully addressed.
Attack Vector
The attack leverages the network-accessible API endpoint that does not require any authentication. An attacker can exploit this vulnerability through the following approach:
- The attacker identifies or enumerates share identifiers for a target FileBrowser Quantum instance
- The attacker sends a request to the /public/api/share/info endpoint with the share identifier
- The API responds with share metadata including the tokenized downloadURL
- The attacker extracts the download token from the response
- Using the token, the attacker directly accesses the shared files without ever providing the share password
This attack requires no user interaction and can be performed entirely over the network against any exposed FileBrowser Quantum instance running a vulnerable version.
Detection Methods for CVE-2026-30933
Indicators of Compromise
- Unusual volume of requests to /public/api/share/info from single IP addresses or user agents
- Direct file downloads using tokenized URLs without corresponding password authentication events
- API access patterns indicating enumeration attempts against share endpoints
- Access logs showing successful file retrievals for password-protected shares without prior authentication
Detection Strategies
- Monitor web server access logs for requests to /public/api/share/info endpoints, particularly from untrusted sources
- Implement rate limiting detection on the share info API endpoint to identify potential enumeration attacks
- Correlate file download events with authentication logs to identify downloads occurring without proper password verification
- Deploy web application firewall (WAF) rules to detect and alert on suspicious access patterns to the share API
Monitoring Recommendations
- Enable verbose logging for all API endpoints related to file sharing functionality
- Set up alerts for high-frequency requests to share information endpoints from individual IP addresses
- Monitor for access to shared files that bypasses the normal authentication flow
- Review access logs periodically for evidence of token harvesting from the vulnerable endpoint
How to Mitigate CVE-2026-30933
Immediate Actions Required
- Upgrade FileBrowser Quantum to version 1.2.2-stable or 1.3.1-beta immediately
- Audit existing password-protected shares for potential unauthorized access
- Regenerate share tokens for sensitive files that may have been exposed
- Review access logs for any suspicious activity targeting the share info API endpoint
- Consider temporarily disabling password-protected shares until the upgrade is complete if they contain highly sensitive data
Patch Information
The vulnerability has been addressed in FileBrowser Quantum versions 1.2.2-stable and 1.3.1-beta. Users should update to one of these versions based on their deployment preferences:
- Stable branch users: Upgrade to v1.2.2-stable
- Beta branch users: Upgrade to v1.3.1-beta
For complete security advisory details, refer to the GitHub Security Advisory GHSA-525j-95gf-766f.
Workarounds
- Restrict network access to the FileBrowser Quantum instance using firewall rules until patching is possible
- Implement reverse proxy authentication to add an additional layer of access control
- Disable the public sharing feature entirely if password-protected shares are critical to your security posture
- Use network segmentation to limit exposure of the vulnerable API endpoint to trusted networks only
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
