CVE-2026-30933
📋 TL;DR
FileBrowser Quantum versions before 1.3.1-beta and 1.2.2-stable have an incomplete fix for CVE-2026-27611, allowing password-protected shares to leak tokenized download URLs via the /public/api/share/info endpoint. This affects all users running vulnerable versions who have password-protected shares configured.
💻 Affected Systems
- FileBrowser Quantum
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass password protection on sensitive files and download them without authentication, potentially exposing confidential data.
Likely Case
Unauthorized users accessing password-protected shares by obtaining tokenized URLs, leading to data leakage.
If Mitigated
With proper network segmentation and access controls, impact is limited to authorized users who already have some access to the system.
🎯 Exploit Status
Exploitation requires accessing the /public/api/share/info endpoint, which may be publicly accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.1-beta or 1.2.2-stable
Vendor Advisory: https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f
Restart Required: Yes
Instructions:
1. Backup your configuration and data. 2. Download the patched version from GitHub releases. 3. Replace the existing installation with the new version. 4. Restart the FileBrowser Quantum service.
🔧 Temporary Workarounds
Disable Password-Protected Shares
allTemporarily disable all password-protected shares until patching is complete.
Edit configuration to remove password-protected shares
Restrict API Access
linuxBlock external access to /public/api/share/info endpoint using firewall rules.
iptables -A INPUT -p tcp --dport [PORT] -m string --string "/public/api/share/info" --algo bm -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate FileBrowser Quantum from untrusted networks.
- Enable detailed logging and monitoring for unauthorized access attempts to the /public/api/share/info endpoint.
🔍 How to Verify
Check if Vulnerable:
Check if running version is earlier than 1.3.1-beta or 1.2.2-stable and if password-protected shares are configured.Check Version:
filebrowser versionVerify Fix Applied:
After patching, verify version is 1.3.1-beta or 1.2.2-stable and test that password-protected shares no longer leak tokenized URLs via /public/api/share/info.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to /public/api/share/info endpoint
- Multiple failed authentication attempts followed by successful file downloads
Network Indicators:
- HTTP requests to /public/api/share/info from unexpected IP addresses
- Unusual download patterns from password-protected shares
SIEM Query:
source="filebrowser.log" AND (uri_path="/public/api/share/info" OR (event="file_download" AND share_type="password_protected"))