CVE-2026-35605 Overview
CVE-2026-35605 is a Path Traversal vulnerability affecting File Browser, an open-source file managing interface used for uploading, deleting, previewing, renaming, and editing files within a specified directory. The vulnerability exists in versions prior to 2.63.1 where the Matches() function in rules/rules.go uses strings.HasPrefix() without a trailing directory separator when matching paths against access rules.
This improper path matching logic means that a rule defined for /uploads would also incorrectly match /uploads_backup/, potentially granting or denying access to unintended directories. This could allow attackers to bypass access controls and gain unauthorized access to sensitive files or directories.
Critical Impact
Attackers can bypass file access rules to read, modify, or delete files in unintended directories by exploiting improper path prefix matching in File Browser's access control mechanism.
Affected Products
- File Browser versions prior to 2.63.1
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-35605 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-35605
Vulnerability Analysis
The vulnerability stems from a flaw in File Browser's access control implementation, specifically classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, or Path Traversal). The Matches() function in rules/rules.go performs path-based access control checks using Go's strings.HasPrefix() function without properly appending a trailing directory separator to the rule path.
When access rules are configured to restrict or permit access to specific directories, the application compares incoming request paths against these rules. The issue arises because a prefix match without a trailing separator creates ambiguity - a rule for /uploads will match not only the intended /uploads directory and its contents but also any path that begins with /uploads, such as /uploads_backup/, /uploads_private/, or /uploads_sensitive/.
This path matching flaw can lead to unintended access grants or denials depending on how the rules are configured. In scenarios where /uploads is allowed but /uploads_backup should be restricted, an attacker could access the backup directory by exploiting this matching behavior. Conversely, if /uploads is denied, unintended directories could also be incorrectly blocked.
Root Cause
The root cause is the use of strings.HasPrefix() for path comparison without ensuring proper directory boundary checks. Secure path matching requires either:
- Appending a trailing slash to the rule path before comparison (e.g., /uploads/)
- Using path-aware comparison functions that respect directory boundaries
The fix in version 2.63.1 addresses this by implementing proper path boundary checking to ensure rules only match their intended directories and subdirectories, not similarly-named sibling directories.
Attack Vector
The attack vector is network-based, requiring the attacker to send crafted HTTP requests to the File Browser application. The attack works as follows:
- An attacker identifies a File Browser instance with access rules configured using directory paths
- The attacker crafts requests targeting directories that share common prefixes with allowed or denied paths
- Due to the improper prefix matching, requests to /uploads_backup/sensitive_file.txt may be permitted by a rule intended only for /uploads/
- The attacker gains unauthorized read/write access to files in unintended directories
The vulnerability mechanism involves the path matching logic in the access control system. When a user requests access to a file path, the Matches() function checks if the requested path starts with any configured rule path using strings.HasPrefix(). Without a trailing separator, this check cannot distinguish between /uploads (the intended directory) and /uploads_backup (an unrelated directory). For detailed technical analysis, refer to the GitHub Pull Request #5889 and the GitHub Security Advisory.
Detection Methods for CVE-2026-35605
Indicators of Compromise
- Unexpected file access or modifications in directories with names similar to restricted paths (e.g., *_backup, *_old, *_temp)
- Access log entries showing requests to paths that share prefixes with configured access rules
- Unauthorized file operations in directories that should be protected by access rules
- User complaints about being able to access directories they shouldn't have permissions for
Detection Strategies
- Review File Browser access logs for requests to paths containing common suffixes like _backup, _archive, _old, or _temp that may indicate exploitation attempts
- Audit your access rule configurations and identify any rules that could unintentionally match similarly-named directories
- Implement web application firewall (WAF) rules to flag suspicious path patterns that attempt to bypass directory restrictions
- Deploy file integrity monitoring on directories adjacent to those defined in access rules
Monitoring Recommendations
- Enable verbose logging in File Browser to capture all file access attempts with full path information
- Set up alerts for access attempts to directories that contain sensitive data but share prefixes with allowed directories
- Monitor for unusual patterns of file access that don't align with normal user behavior
- Regularly audit File Browser access rules to ensure they enforce intended boundaries with proper directory separators
How to Mitigate CVE-2026-35605
Immediate Actions Required
- Upgrade File Browser to version 2.63.1 or later immediately to receive the security patch
- Review all existing access rules and manually verify they are enforcing intended access boundaries
- Audit file access logs to determine if the vulnerability may have been exploited in your environment
- Consider temporarily disabling or tightening access rules until the upgrade can be completed
Patch Information
The vulnerability has been fixed in File Browser version 2.63.1. The patch modifies the path matching logic in rules/rules.go to properly handle directory boundaries when comparing request paths against access rules.
Organizations should update their File Browser installations as soon as possible. The fix is available through the standard update channels:
- GitHub Pull Request #5889 contains the specific code changes
- GitHub Security Advisory GHSA-5q48-q4fm-g3m6 provides official vendor guidance
Workarounds
- Manually append trailing slashes to all directory rules (e.g., use /uploads/ instead of /uploads) as a temporary mitigation
- Implement additional access controls at the network or web server level to restrict access to sensitive directories
- Use more specific and unique directory names that are less likely to create prefix collision issues
- Deploy a reverse proxy with path validation rules to enforce proper directory boundary checking
# Configuration example - Update File Browser to patched version
# Using Docker
docker pull filebrowser/filebrowser:v2.63.1
docker stop filebrowser
docker rm filebrowser
docker run -d --name filebrowser -v /path/to/files:/srv -p 8080:80 filebrowser/filebrowser:v2.63.1
# Using Go
go install github.com/filebrowser/filebrowser/v2@v2.63.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
