Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-48777

CVE-2026-48777: FileBrowser Quantum Path Traversal Flaw

CVE-2026-48777 is a path traversal vulnerability in FileBrowser Quantum that allows attackers to move, copy, or rename files outside shared directories. This article covers technical details, affected versions, and fixes.

Published:

CVE-2026-48777 Overview

CVE-2026-48777 is a path traversal vulnerability in FileBrowser Quantum, a self-hosted web-based file manager. The flaw resides in the publicPatchHandler function within backend/http/public.go. The handler joins user-controlled fromPath and toPath body fields with the trusted d.share.Path before the downstream sanitizer executes. Anyone holding a public share link with AllowModify=true can move, copy, or rename arbitrary files within the share owner's source root. Affected versions include all releases prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta. Fixed versions are 1.3.3-stable and 1.4.2-beta.

Critical Impact

Unauthenticated attackers with a modifiable public share link can manipulate files outside the shared directory across the share owner's entire source root.

Affected Products

  • FileBrowser Quantum versions prior to 1.3.2-stable
  • FileBrowser Quantum 1.4.0-beta
  • FileBrowser Quantum 1.4.1-beta

Discovery Timeline

  • 2026-06-16 - CVE-2026-48777 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-48777

Vulnerability Analysis

The vulnerability is a path traversal flaw classified under [CWE-22]. The publicPatchHandler accepts two user-controlled body fields, fromPath and toPath, which are intended to be paths relative to a public share. The handler prepends the trusted d.share.Path to these inputs using Go's filepath.Join before delegating to the shared resourcePatchHandler for sanitization. Because filepath.Join normalizes the result and collapses .. segments during the join operation, any traversal sequences supplied by the attacker are resolved away before the sanitizer inspects the path. The sanitizer therefore never observes a traversal pattern and the resulting move, copy, or rename operates on a location outside the shared directory.

Root Cause

The root cause is ordering: path normalization occurs before validation. The same defect was previously addressed in the bulk DELETE endpoint as CVE-2026-44542 (GHSA-fwj3-42wh-8673), but the equivalent pattern in the PATCH handler was overlooked. Sanitization must inspect the raw user input or be applied to the final joined path before any normalization-based collapse of relative segments.

Attack Vector

Exploitation requires only a public share link configured with AllowModify=true. No authentication is needed. An attacker sends a PATCH request to the public share endpoint with a crafted fromPath or toPath body field containing .. sequences. The server resolves the joined path outside the share boundary and performs the requested move, copy, or rename against arbitrary files within the share owner's source root, enabling data tampering and integrity loss.

Vulnerability mechanism (described in prose):
1. Attacker obtains a public share URL with AllowModify enabled.
2. Attacker submits a PATCH request with fromPath/toPath containing traversal segments.
3. filepath.Join(d.share.Path, attackerPath) collapses .. segments.
4. Sanitizer in resourcePatchHandler validates the already-normalized path.
5. The move/copy/rename executes outside the intended share directory.

Detection Methods for CVE-2026-48777

Indicators of Compromise

  • HTTP PATCH requests to public share endpoints containing .. segments in fromPath or toPath JSON body fields.
  • Unexpected file movements, renames, or copies within the FileBrowser source root that did not originate from authenticated user sessions.
  • Access log entries showing public share PATCH activity from external IP addresses targeting modifiable shares.

Detection Strategies

  • Inspect FileBrowser HTTP access logs for PATCH requests against /api/public/ routes and decode request bodies for traversal sequences.
  • Compare file system snapshots within the share owner's source root to identify out-of-share modifications correlated with public share activity.
  • Enable structured request logging that captures the full fromPath and toPath body parameters submitted to public share endpoints.

Monitoring Recommendations

  • Alert on any public share with AllowModify=true and review whether modification capability is actually required.
  • Monitor for file integrity changes outside expected share directories using host-based file integrity monitoring.
  • Track HTTP 200 responses to PATCH requests on public share routes and baseline normal volume to spot anomalous activity.

How to Mitigate CVE-2026-48777

Immediate Actions Required

  • Upgrade FileBrowser Quantum to 1.3.3-stable or 1.4.2-beta without delay.
  • Audit all existing public share links and disable any with AllowModify=true until the upgrade is complete.
  • Rotate or revoke public share tokens that were active during the vulnerable period.
  • Review file system audit logs within share owner source roots for unauthorized move, copy, or rename activity.

Patch Information

The maintainers fixed the issue in FileBrowser v1.3.3-stable and FileBrowser v1.4.2-beta. Technical details are documented in GitHub Security Advisory GHSA-qqqm-5547-774x.

Workarounds

  • Disable public sharing entirely until the patched version is deployed.
  • Set AllowModify=false on all public shares to prevent PATCH operations against the vulnerable handler.
  • Place FileBrowser behind a reverse proxy that strips or blocks PATCH requests containing .. sequences in JSON bodies targeting public share routes.
bash
# Upgrade FileBrowser Quantum to a patched release
docker pull gtstef/filebrowser:v1.3.3-stable
docker stop filebrowser && docker rm filebrowser
docker run -d --name filebrowser \
  -v /srv:/srv \
  -v /path/to/config:/home/filebrowser \
  gtstef/filebrowser:v1.3.3-stable

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.