CVE-2026-35604
Published: 07 April 2026
Summary
CVE-2026-35604 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires systems to make access control decisions based on current authorizations prior to granting access, directly mitigating the public share handler's failure to re-check the share owner's revoked permissions.
Mandates enforcement of approved authorizations for access to resources, addressing the incorrect authorization that allowed existing share links to bypass permission revocation.
Protects publicly accessible system resources such as share links from unauthorized access by unauthenticated users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an authorization bypass in the public share download handler of a public-facing web application (File Browser), directly enabling remote exploitation for unauthorized file access without re-checking permissions.
NVD Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, when an admin revokes a user's Share and Download permissions, existing share links created by that user remain…
more
fully accessible to unauthenticated users. The public share download handler does not re-check the share owner's current permissions. This vulnerability is fixed in 2.63.1.
Deeper analysisAI
CVE-2026-35604 affects File Browser, an open-source file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions prior to 2.63.1, the vulnerability arises when an administrator revokes a user's Share and Download permissions; existing share links created by that user remain fully accessible to unauthenticated users. This occurs because the public share download handler does not re-check the share owner's current permissions, classified under CWE-863 (Incorrect Authorization) with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
A low-privileged user (PR:L) with initial Share and Download permissions can exploit this by creating public share links to files before their permissions are revoked by an admin. Unauthenticated attackers who obtain these links—via phishing, social engineering, or prior sharing—can then access the shared files over the network with no user interaction required. This enables high-impact unauthorized confidentiality breaches, such as downloading sensitive files, and integrity violations, potentially including modifications depending on the share configuration.
The vulnerability is fixed in File Browser version 2.63.1, as detailed in the project's security advisory (GHSA-v9w4-gm2x-6rvf) and corresponding pull request (#5888) on GitHub. Security practitioners should upgrade to 2.63.1 or later and audit existing share links created by users whose permissions have been modified.
Details
- CWE(s)