CVE-2026-35606 Overview
CVE-2026-35606 is an authorization bypass vulnerability in File Browser, a web-based file managing interface used for uploading, deleting, previewing, renaming, and editing files within a specified directory. The vulnerability exists in the resourceGetHandler function within http/resource.go, which returns full text file content without properly checking the Perm.Download permission flag. This missing authorization check allows users who have been explicitly denied download permissions to still read text file content through the affected endpoint.
Critical Impact
Users with restricted download permissions (download: false) can bypass security controls and read any text file within their configured scope through two distinct bypass paths, potentially exposing sensitive configuration files, credentials, or other confidential data stored on the server.
Affected Products
- File Browser versions prior to 2.63.1
- Self-hosted File Browser installations with download restrictions configured
- Docker deployments of File Browser using affected versions
Discovery Timeline
- April 7, 2026 - CVE-2026-35606 published to NVD
- April 9, 2026 - Last updated in NVD database
Technical Details for CVE-2026-35606
Vulnerability Analysis
This vulnerability represents a classic missing authorization (CWE-862) flaw where a security-sensitive operation fails to verify user permissions before executing. The vulnerability exists because of inconsistent permission checking across File Browser's content-serving endpoints.
The application correctly implements permission verification in three content-serving endpoints (/api/raw, /api/preview, and /api/subtitle), but the resourceGetHandler function in http/resource.go omits this critical security check. This inconsistency creates a bypass path where users can access file contents through the unprotected endpoint even when their account has download permissions explicitly disabled.
The attack requires only low-privileged access to the File Browser application, and can be executed remotely over the network without any user interaction. The impact is limited to confidentiality, as attackers can read text file contents but cannot modify files or cause service disruption through this vulnerability alone.
Root Cause
The root cause is a missing authorization check in the resourceGetHandler function. While other content-serving endpoints in the application properly verify the Perm.Download permission flag before serving file content, this specific handler returns full text file content directly without performing the same permission verification. This represents an incomplete implementation of the application's access control model, where a single endpoint was overlooked during the security control implementation.
Attack Vector
An attacker with a valid user account that has download permissions disabled can exploit this vulnerability by making direct requests to the vulnerable endpoint. Two bypass paths exist that allow circumventing the download restriction:
- Directly accessing the resource endpoint that serves text file content
- Leveraging the API to retrieve file contents without triggering the protected /api/raw, /api/preview, or /api/subtitle endpoints
The attack is straightforward to execute as it only requires crafting HTTP requests to the unprotected endpoint while authenticated as a user with restricted permissions. The vulnerability is limited to text files within the user's configured scope, but this could include sensitive configuration files, credentials, source code, or other confidential information.
Detection Methods for CVE-2026-35606
Indicators of Compromise
- Unusual file access patterns from user accounts with download restrictions
- HTTP requests to content-serving endpoints from accounts that should not have download permissions
- Access logs showing requests to the resource endpoint from restricted users
- Anomalous increases in data retrieval by low-privileged accounts
Detection Strategies
- Implement application-level logging to track all file access attempts and correlate with user permission levels
- Monitor for users with download: false configuration making requests to file content endpoints
- Deploy web application firewall rules to flag potential authorization bypass attempts
- Review File Browser access logs for requests that successfully retrieved content from users with download restrictions
Monitoring Recommendations
- Enable verbose logging in File Browser to capture all file access requests
- Set up alerting for file access events from accounts with restricted download permissions
- Regularly audit user permissions and access patterns to identify potential abuse
- Monitor for exploitation attempts in network traffic targeting File Browser installations
How to Mitigate CVE-2026-35606
Immediate Actions Required
- Upgrade File Browser to version 2.63.1 or later immediately
- Review access logs for any evidence of exploitation prior to patching
- Audit user accounts with download restrictions to identify potentially exposed data
- Consider temporarily restricting access to File Browser installations until patching is complete
Patch Information
The vulnerability has been fixed in File Browser version 2.63.1. The patch ensures that the resourceGetHandler function properly verifies the Perm.Download permission flag before serving any file content, bringing it in line with the other content-serving endpoints. Organizations should update to this version or later as soon as possible.
For detailed information about the security fix, refer to the GitHub Security Advisory.
Workarounds
- Temporarily disable external access to File Browser installations until the patch can be applied
- Implement network-level access controls to restrict File Browser access to trusted IP ranges
- Configure reverse proxy rules to block requests to the vulnerable endpoint
- Review and temporarily elevate download permissions for affected users to reduce attack surface complexity while monitoring for exploitation
# Configuration example - Restrict network access via firewall
# Allow only trusted internal network to access File Browser
iptables -A INPUT -p tcp --dport 8080 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
# Alternative: Use nginx to restrict access while patching
# Add to nginx configuration for File Browser
# location / {
# allow 192.168.1.0/24;
# deny all;
# proxy_pass http://localhost:8080;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
