Login Sign Up

CVE-2026-27611

6.5 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability in FileBrowser Quantum allows unauthorized access to password-protected shared files. Anyone with a share link can bypass password protection and download files directly. This affects all users who share files with passwords in vulnerable versions.

💻 Affected Systems

Products:
  • FileBrowser Quantum
Versions: All versions prior to 1.1.3-stable and 1.2.6-beta
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any installation where password-protected file sharing is used. The vulnerability exists in the API response handling for shared files.

📦 What is this software?

Filebrowser Quantum by Gtsteffaniak

View all CVEs affecting Filebrowser Quantum →

Filebrowser Quantum by Gtsteffaniak

View all CVEs affecting Filebrowser Quantum →

Filebrowser Quantum by Gtsteffaniak

View all CVEs affecting Filebrowser Quantum →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive files shared with password protection are exposed to unauthorized parties, potentially leading to data breaches, privacy violations, or intellectual property theft.

🟠

Likely Case

Unauthorized users access password-protected shared files, compromising confidentiality of sensitive documents, media, or other protected content.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to specific shared files rather than entire systems, but confidentiality of those files is still compromised.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only the share link, which could be obtained through various means. No authentication or special tools needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.3-stable or 1.2.6-beta

Vendor Advisory: https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6

Restart Required: Yes

Instructions:

1. Backup your configuration and data. 2. Stop the FileBrowser service. 3. Update to version 1.1.3-stable or 1.2.6-beta. 4. Restart the service. 5. Verify the fix by testing password-protected file sharing.

🔧 Temporary Workarounds

Disable file sharing

all

Temporarily disable all file sharing functionality to prevent exploitation

Edit configuration to disable sharing features

Use external authentication

all

Implement external authentication mechanisms instead of built-in password protection

Configure external auth providers

🧯 If You Can't Patch

  • Disable all password-protected file sharing immediately
  • Monitor access logs for unauthorized download attempts on shared files

🔍 How to Verify

Check if Vulnerable:

Test by creating a password-protected file share and attempting to access the download link without entering the password

Check Version:

filebrowser version

Verify Fix Applied:

After patching, test password-protected file sharing to confirm password is required for download

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to shared file endpoints
  • Downloads of password-protected files without authentication logs

Network Indicators:

  • Direct file downloads from share links without preceding authentication requests

SIEM Query:

source="filebrowser" AND (event="file_download" AND NOT event="password_verified")

📊 Metadata

CVE ID: CVE-2026-27611
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE: CWE-200
Published: February 25, 2026
Last Updated: February 27, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27611, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)