CVE-2026-30933
Published: 10 March 2026
Summary
CVE-2026-30933 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).
Deeper analysis
CVE-2026-30933 is an information disclosure vulnerability in FileBrowser Quantum, a free, self-hosted, web-based file manager. It represents an incomplete remediation of the prior CVE-2026-27611 in versions prior to 1.3.1-beta and 1.2.2-stable. Specifically, password-protected shares continue to expose tokenized download URLs through the /public/api/share/info endpoint, enabling unauthorized access to sensitive file contents. The issue is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), CWE-306 (Missing Authentication for Critical Function), and CWE-602 (Client-Side Enforcement of Server-Side Security).
Remote attackers require no authentication, privileges, or user interaction to exploit this vulnerability over the network with low complexity. By querying the /public/api/share/info endpoint, they can retrieve tokenized download URLs for password-protected shares, bypassing intended protections and gaining high-impact unauthorized access to confidential files.
The vulnerability is fully remediated in FileBrowser Quantum versions 1.3.1-beta and 1.2.2-stable, as detailed in the project's GitHub security advisory (GHSA-525j-95gf-766f) and corresponding release notes. Security practitioners should immediately upgrade affected instances to one of these patched versions to mitigate the risk.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10543
Vulnerability details
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Public-facing web file manager vuln enables unauthenticated exploitation (T1190) to retrieve protected file contents via exposed download URLs (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the information disclosure vulnerability by requiring timely remediation through patching to FileBrowser Quantum versions 1.3.1-beta or 1.2.2-stable, which fully address the incomplete fix for CVE-2026-27611.
Protects public-facing endpoints like /public/api/share/info from unauthorized disclosure of sensitive tokenized download URLs accessible without authentication.
Enforces logical access controls to prevent unauthorized actors from retrieving password-protected share information via unauthenticated API queries.