CVE-2026-32761 Overview
File Browser is a web-based file management interface that enables uploading, deleting, previewing, renaming, and editing files within a specified directory. A permission enforcement bypass vulnerability exists in versions 2.61.0 and below that allows authenticated users who are explicitly denied download privileges (perm.download = false) but granted share privileges (perm.share = true) to exfiltrate file content by creating public share links.
Critical Impact
Authenticated users can bypass download restrictions and publicly distribute sensitive files they are explicitly blocked from downloading, undermining data-loss prevention and role-separation policies.
Affected Products
- File Browser versions 2.61.0 and below
- All installations with users granted share permissions but denied download permissions
- Self-hosted File Browser deployments with role-based access controls
Discovery Timeline
- 2026-03-20 - CVE CVE-2026-32761 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-32761
Vulnerability Analysis
This authorization bypass vulnerability stems from inconsistent permission enforcement across different API endpoints in File Browser. The application implements separate handlers for direct file downloads and public share-based downloads, but these handlers apply permission checks differently.
When a user attempts to download a file directly via the /api/raw/ endpoint, the application correctly validates that the user has download permission (perm.download = true). However, when creating a share link, the share creation endpoint only verifies that the user has share permission (perm.share = true) without checking whether the user also has download permission for the target file.
The critical flaw occurs in the public download handler (/api/public/dl/<hash>), which serves file content to anyone with the share hash without verifying that the original file owner had download permission when the share was created. This creates an authentication bypass chain where restricted users can circumvent download restrictions by first sharing a file and then accessing it through the unauthenticated public URL.
Root Cause
The root cause is improper access control (CWE-284) in the share creation and public download workflows. The application assumes that share permission implies download permission, but this violates the principle of least privilege when administrators intentionally configure users with share-only access. The public download handler lacks a permission inheritance check that should verify the original sharer's download permission at the time of file retrieval.
Attack Vector
The attack is network-based and requires low-privilege authenticated access. An attacker with valid credentials and share permissions (but explicitly denied download permissions) can exploit this vulnerability through the following sequence:
- The attacker authenticates to File Browser with an account that has perm.share = true but perm.download = false
- The attacker navigates to a sensitive file they can view but cannot download directly
- Using the share functionality, the attacker creates a public share link for the target file
- The application generates a public URL in the format /api/public/dl/<hash>
- The attacker (or any external party) can now access the file via this unauthenticated public URL, bypassing the download restriction entirely
The vulnerability undermines role separation policies where organizations may want users to share file metadata or collaborate without the ability to extract file contents for offline use.
Detection Methods for CVE-2026-32761
Indicators of Compromise
- Unusual share creation activity from accounts with restricted download permissions
- Access to /api/public/dl/ endpoints for files owned by users without download permission
- Audit logs showing share creation followed by public download requests from external IPs
- High volume of share link generation from a single restricted user account
Detection Strategies
- Monitor API access logs for patterns where users denied download permission are creating share links
- Implement correlation rules to detect share creation events followed by public download requests within short time windows
- Alert on /api/public/dl/ requests for files owned by users with perm.download = false
- Review share audit logs for sensitive file directories being shared by restricted users
Monitoring Recommendations
- Enable detailed audit logging for share creation and public download events
- Configure alerts for share link generation involving files in sensitive directories
- Monitor for external IP addresses accessing public download URLs for files that should remain internal
- Implement rate limiting on share creation to detect bulk exfiltration attempts
How to Mitigate CVE-2026-32761
Immediate Actions Required
- Upgrade File Browser to version 2.62.0 or later immediately
- Audit existing share links created by users with restricted download permissions
- Review and revoke any suspicious public share links for sensitive files
- Temporarily disable share functionality for users with download restrictions until patching is complete
Patch Information
The vulnerability has been fixed in File Browser version 2.62.0. The fix ensures that the public download handler verifies the original sharer's download permission before serving file content. The patch is available in GitHub Commit 09a2616. For additional details, refer to the GitHub Security Advisory GHSA-68j5-4m99-w9w9 and the GitHub Release v2.62.0.
Workarounds
- Remove share permission (perm.share = false) from all users who are denied download permission until the patch can be applied
- Implement network-level controls to restrict access to public share URLs from external networks
- Use a reverse proxy to block or monitor requests to /api/public/dl/ endpoints
- Conduct a review of all active share links and delete any that expose sensitive content
# Configuration example - Disable share permission for restricted users
# In File Browser user configuration, ensure users without download permission
# also have share permission disabled:
# perm.download = false
# perm.share = false # Add this line to prevent bypass
# To audit existing shares, check the database or use API:
# GET /api/shares to list all active shares
# DELETE /api/share/<hash> to remove suspicious shares
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
