CVE-2026-35604 Overview
CVE-2026-35604 is a high-severity authorization bypass vulnerability in File Browser, a popular web-based file management interface used for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.63.1, when an administrator revokes a user's Share and Download permissions, existing share links created by that user remain fully accessible to unauthenticated users. The public share download handler fails to re-check the share owner's current permissions, allowing continued unauthorized access to shared files.
Critical Impact
Attackers can leverage stale share links to access files that should no longer be publicly available, potentially leading to unauthorized data exposure even after administrative permission revocation.
Affected Products
- File Browser versions prior to 2.63.1
- Self-hosted File Browser deployments with share link functionality enabled
- Any system where users have previously created share links before permission revocation
Discovery Timeline
- April 7, 2026 - CVE-2026-35604 published to NVD
- April 8, 2026 - Last updated in NVD database
Technical Details for CVE-2026-35604
Vulnerability Analysis
This vulnerability (CWE-863: Incorrect Authorization) stems from a fundamental flaw in File Browser's permission validation model. When a user creates a share link, the system generates a persistent URL that allows unauthenticated access to the shared resource. However, the download handler for these public shares only validates that the share link itself exists—it does not verify whether the original user who created the share still possesses the necessary Share and Download permissions.
This creates a dangerous scenario where administrators believe they have effectively revoked a user's ability to share files, but in reality, any previously created share links continue to function. The vulnerability is particularly impactful in multi-tenant environments or organizations where user permissions change frequently due to role transitions, employment changes, or security incidents.
Root Cause
The root cause lies in the public share download handler's permission validation logic. When processing a request to download a shared file, the handler validates the share link's existence and the file's availability but fails to query the current permission state of the share owner. The authorization check is performed only at share creation time, not at access time. This means the permission state is essentially "cached" in the share link itself, creating a time-of-check to time-of-use (TOCTOU) style vulnerability in the authorization flow.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker who possesses or discovers a valid share link can continue accessing the shared resource indefinitely, regardless of subsequent permission changes applied to the original share creator. Attack scenarios include:
- A former employee's share links remaining active after their account permissions are revoked
- A user whose permissions are reduced during a security incident maintaining unauthorized access channels
- Leaked or intercepted share links providing persistent access to sensitive files
The vulnerability can be exploited by simply accessing the share link URL directly. For detailed technical information about the fix implementation, see the GitHub Security Advisory GHSA-v9w4-gm2x-6rvf and the associated pull request #5888.
Detection Methods for CVE-2026-35604
Indicators of Compromise
- Access logs showing downloads via share links (/api/public/dl/) from users whose permissions have been revoked
- Continued access to shared resources after administrative permission changes
- Share link access patterns from unexpected IP addresses or geographic locations
- Spike in public share downloads that don't correlate with active user sharing activities
Detection Strategies
- Audit File Browser access logs for share link downloads and cross-reference with current user permissions
- Implement monitoring for public share endpoint access (/api/public/dl/) and correlate with permission change events
- Review all existing share links and validate that creators still have appropriate permissions
- Deploy web application firewalls (WAF) with rules to log and alert on share link access patterns
Monitoring Recommendations
- Enable detailed access logging for all public share endpoints in File Browser
- Create alerts for share link access events occurring after the associated user's permissions were modified
- Monitor for bulk downloads via share links that may indicate data exfiltration
- Implement periodic audits comparing active share links against current user permission states
How to Mitigate CVE-2026-35604
Immediate Actions Required
- Upgrade File Browser to version 2.63.1 or later immediately
- Audit all existing share links and revoke any created by users who no longer have Share and Download permissions
- Review access logs to identify potential unauthorized access via stale share links
- Consider temporarily disabling share link functionality until the patch is applied in high-security environments
Patch Information
The vulnerability is fixed in File Browser version 2.63.1. The patch modifies the public share download handler to perform real-time permission validation against the share owner's current permission state before serving any download requests. Organizations should upgrade to this version or later to remediate the vulnerability. Detailed patch information is available in the GitHub Pull Request #5888.
Workarounds
- Manually audit and delete all existing share links created by users whose permissions have been revoked
- Implement network-level access controls to restrict access to the public share endpoint (/api/public/dl/)
- Use reverse proxy rules to require authentication for share link access as a temporary measure
- Disable the share link feature entirely at the application level if not business-critical
# Example: Find and review File Browser share-related access logs
# Adjust log path based on your deployment
grep -E "/api/public/dl/" /var/log/filebrowser/access.log | \
awk '{print $1, $4, $7}' | sort | uniq -c | sort -rn
# List all active shares for audit (requires database access)
# SQLite example - adjust for your database backend
sqlite3 /path/to/filebrowser.db "SELECT * FROM shares;" > shares_audit.txt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
