Vulnerability Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, File Browser's public share handlers rebase the share owner's filesystem root to the shared directory and then evaluate descendant paths against the owner's global and per-user rules using the rebased relative path instead of the original path relative to the owner's scope. As a result, an attacker who knows a public directory share URL can access files and subdirectories that the owner explicitly blocked with rules, as long as those blocked paths are located underneath the shared directory. In the simplest case this is an unauthenticated information disclosure through `GET /api/public/share/*` and `GET /api/public/dl/*`. This vulnerability is fixed in 2.63.6.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/filebrowser/filebrowser/commit/e07c59df0b850f5924d5b1683e8609
- https://github.com/filebrowser/filebrowser/releases/tag/v2.63.6
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-j9jx-hp4c-gh
FAQ
What is CVE-2026-54091?
CVE-2026-54091 is a vulnerability with a CVSS score of 7.5 (HIGH). File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, File Browser's public share handlers rebase th...
How severe is CVE-2026-54091?
CVE-2026-54091 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-54091?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.