Cyber Resilience

CVE-2026-35604

HighPublic PoC

Published: 07 April 2026

Published
07 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 24.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-35604 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-35604 affects File Browser, an open-source file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions prior to 2.63.1, the vulnerability arises when an administrator revokes a user's Share and Download permissions; existing share links created by that user remain fully accessible to unauthenticated users. This occurs because the public share download handler does not re-check the share owner's current permissions, classified under CWE-863 (Incorrect Authorization) with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

A low-privileged user (PR:L) with initial Share and Download permissions can exploit this by creating public share links to files before their permissions are revoked by an admin. Unauthenticated attackers who obtain these links—via phishing, social engineering, or prior sharing—can then access the shared files over the network with no user interaction required. This enables high-impact unauthorized confidentiality breaches, such as downloading sensitive files, and integrity violations, potentially including modifications depending on the share configuration.

The vulnerability is fixed in File Browser version 2.63.1, as detailed in the project's security advisory (GHSA-v9w4-gm2x-6rvf) and corresponding pull request (#5888) on GitHub. Security practitioners should upgrade to 2.63.1 or later and audit existing share links created by users whose permissions have been modified.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, when an admin revokes a user's Share and Download permissions, existing share links created by that user remain…

more

fully accessible to unauthenticated users. The public share download handler does not re-check the share owner's current permissions. This vulnerability is fixed in 2.63.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes an authorization bypass in the public share download handler of a public-facing web application (File Browser), directly enabling remote exploitation for unauthorized file access without re-checking permissions.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35605Same product: Filebrowser Filebrowser
CVE-2026-35585Same product: Filebrowser Filebrowser
CVE-2025-64523Same product: Filebrowser Filebrowser
CVE-2026-30933Same product: Filebrowser Filebrowser
CVE-2025-53826Same product: Filebrowser Filebrowser
CVE-2026-32760Same product: Filebrowser Filebrowser
CVE-2026-34528Same product: Filebrowser Filebrowser
CVE-2026-25890Same product: Filebrowser Filebrowser
CVE-2026-35607Same product: Filebrowser Filebrowser
CVE-2026-32759Same product: Filebrowser Filebrowser

Affected Assets

filebrowser
filebrowser
≤ 2.63.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires systems to make access control decisions based on current authorizations prior to granting access, directly mitigating the public share handler's failure to re-check the share owner's revoked permissions.

prevent

Mandates enforcement of approved authorizations for access to resources, addressing the incorrect authorization that allowed existing share links to bypass permission revocation.

prevent

Protects publicly accessible system resources such as share links from unauthorized access by unauthenticated users.

References