Cyber Resilience

CVE-2026-30933

HighPublic PoC

Published: 10 March 2026

Published
10 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0011 28.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30933 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).

Deeper analysis

CVE-2026-30933 is an information disclosure vulnerability in FileBrowser Quantum, a free, self-hosted, web-based file manager. It represents an incomplete remediation of the prior CVE-2026-27611 in versions prior to 1.3.1-beta and 1.2.2-stable. Specifically, password-protected shares continue to expose tokenized download URLs through the /public/api/share/info endpoint, enabling unauthorized access to sensitive file contents. The issue is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), CWE-306 (Missing Authentication for Critical Function), and CWE-602 (Client-Side Enforcement of Server-Side Security).

Remote attackers require no authentication, privileges, or user interaction to exploit this vulnerability over the network with low complexity. By querying the /public/api/share/info endpoint, they can retrieve tokenized download URLs for password-protected shares, bypassing intended protections and gaining high-impact unauthorized access to confidential files.

The vulnerability is fully remediated in FileBrowser Quantum versions 1.3.1-beta and 1.2.2-stable, as detailed in the project's GitHub security advisory (GHSA-525j-95gf-766f) and corresponding release notes. Security practitioners should immediately upgrade affected instances to one of these patched versions to mitigate the risk.

EU & UK References

Vulnerability details

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Public-facing web file manager vuln enables unauthenticated exploitation (T1190) to retrieve protected file contents via exposed download URLs (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-35605Same product: Filebrowser Filebrowser
CVE-2026-35604Same product: Filebrowser Filebrowser
CVE-2026-35606Same product: Filebrowser Filebrowser
CVE-2026-32760Same product: Filebrowser Filebrowser
CVE-2026-34528Same product: Filebrowser Filebrowser
CVE-2025-53826Same product: Filebrowser Filebrowser
CVE-2026-35607Same product: Filebrowser Filebrowser
CVE-2025-64523Same product: Filebrowser Filebrowser
CVE-2026-35585Same product: Filebrowser Filebrowser
CVE-2026-25890Same product: Filebrowser Filebrowser

Affected Assets

filebrowser
filebrowser
1.2.1, 1.3.0 · ≤ 1.2.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the information disclosure vulnerability by requiring timely remediation through patching to FileBrowser Quantum versions 1.3.1-beta or 1.2.2-stable, which fully address the incomplete fix for CVE-2026-27611.

prevent

Protects public-facing endpoints like /public/api/share/info from unauthorized disclosure of sensitive tokenized download URLs accessible without authentication.

prevent

Enforces logical access controls to prevent unauthorized actors from retrieving password-protected share information via unauthenticated API queries.

References