{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-35604/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-35604"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["filebrowser","authorization-bypass","github-advisory","cve-2026-35604"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFile Browser versions prior to 2.63.1 contain an authorization bypass vulnerability. Specifically, when an administrator revokes a user\u0026rsquo;s share and download permissions, existing share links created by that user remain fully accessible to unauthenticated users. The vulnerability exists because the public share download handler (\u003ccode\u003ehttp/public.go\u003c/code\u003e) does not re-check the share owner\u0026rsquo;s current permissions when serving shared files. This can lead to unauthorized data access and a false sense of security for administrators who believe that revoking permissions immediately terminates access to shared resources. The issue was verified against version 2.62.2 (commit 860c19d).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn administrator creates a user account with Share and Download permissions.\u003c/li\u003e\n\u003cli\u003eThe user logs in and creates a share link for a file (e.g., \u003ccode\u003esecret.txt\u003c/code\u003e). The system generates a hash (e.g., \u003ccode\u003efB4Qwtsn\u003c/code\u003e) associated with the share.\u003c/li\u003e\n\u003cli\u003eAn unauthenticated user accesses the file via the share link (e.g., \u003ccode\u003e/api/public/dl/fB4Qwtsn\u003c/code\u003e), successfully downloading the content.\u003c/li\u003e\n\u003cli\u003eThe administrator revokes the user\u0026rsquo;s Share and Download permissions via the API, modifying the user\u0026rsquo;s record in the system.\u003c/li\u003e\n\u003cli\u003eThe revoked user attempts to create a new share link and is correctly denied access (403 Forbidden).\u003c/li\u003e\n\u003cli\u003eAn unauthenticated user attempts to access the file using the previously created share link (e.g., \u003ccode\u003e/api/public/dl/fB4Qwtsn\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe system retrieves the share link information but fails to validate if the original user still possesses Share and Download permissions.\u003c/li\u003e\n\u003cli\u003eThe system serves the file, bypassing the intended authorization restrictions and granting unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows unauthorized access to files shared through File Browser, even after an administrator has revoked the share creator\u0026rsquo;s permissions. This can result in data breaches, as users who should no longer have access to shared resources can still retrieve them via existing share links. The administrator may believe that revoking permissions immediately stops all sharing, leading to a false sense of security. This is particularly impactful in environments where sensitive data is shared via File Browser and access control is critical.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade File Browser to version 2.63.1 or later to patch CVE-2026-35604.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for access to \u003ccode\u003e/api/public/dl/*\u003c/code\u003e endpoints (logsource: webserver, product: linux/windows) after revoking user permissions; correlate with user permission changes.\u003c/li\u003e\n\u003cli\u003eImplement the suggested fix by adding permission re-validation in \u003ccode\u003ewithHashFile\u003c/code\u003e as described in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T00:04:59Z","date_published":"2026-04-08T00:04:59Z","id":"/briefs/2026-04-filebrowser-share-bypass/","summary":"File Browser share links remain accessible after Share/Download permissions are revoked, allowing continued access to shared files even after an administrator revokes the user's permissions.","title":"File Browser Share Links Accessible After Permission Revocation","url":"https://feed.craftedsignal.io/briefs/2026-04-filebrowser-share-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-35604","version":"https://jsonfeed.org/version/1.1"}