CVE-2026-30933
Published: 10 March 2026
Summary
CVE-2026-30933 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.
Privacy and security architectures require controls to protect sensitive information from unauthorized exposure across the system lifecycle.
Inventory identifies all systems holding or processing data, enabling detection of unauthorized exposure paths before exploitation.
Protection planning for critical infrastructure directly calls for authentication of access to essential functions before any operation is permitted.
Risk assessments evaluate exposure of critical functions lacking authentication and prioritize corrective controls.
Requires authentication gates on critical functions that must remain unavailable to anonymous public users.
Treats remote activation of surveillance-capable devices as a critical function that must be disabled or authenticated.
Decoys supply misleading data and log access attempts, directly detecting and deflecting unauthorized information exposure.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Public-facing web file manager vuln enables unauthenticated exploitation (T1190) to retrieve protected file contents via exposed download URLs (T1005).
NVD Description
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.
Deeper analysisAI
CVE-2026-30933 is an information disclosure vulnerability in FileBrowser Quantum, a free, self-hosted, web-based file manager. It represents an incomplete remediation of the prior CVE-2026-27611 in versions prior to 1.3.1-beta and 1.2.2-stable. Specifically, password-protected shares continue to expose tokenized download URLs through the /public/api/share/info endpoint, enabling unauthorized access to sensitive file contents. The issue is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), CWE-306 (Missing Authentication for Critical Function), and CWE-602 (Client-Side Enforcement of Server-Side Security).
Remote attackers require no authentication, privileges, or user interaction to exploit this vulnerability over the network with low complexity. By querying the /public/api/share/info endpoint, they can retrieve tokenized download URLs for password-protected shares, bypassing intended protections and gaining high-impact unauthorized access to confidential files.
The vulnerability is fully remediated in FileBrowser Quantum versions 1.3.1-beta and 1.2.2-stable, as detailed in the project's GitHub security advisory (GHSA-525j-95gf-766f) and corresponding release notes. Security practitioners should immediately upgrade affected instances to one of these patched versions to mitigate the risk.
Details
- CWE(s)