CVE-2026-35606
Published: 07 April 2026
Summary
CVE-2026-35606 is a high-severity Missing Authorization (CWE-862) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 13.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates enforcement of approved authorizations for accessing file contents, directly addressing the missing Perm.Download check in resourceGetHandler that allows unauthorized text file disclosure.
Requires identification, reporting, and timely remediation of flaws like the authorization bypass, as implemented in the patch for File Browser version 2.63.1.
Employs least privilege to restrict user permissions, limiting the scope and impact of data accessible through the authorization bypass paths.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability bypasses permission checks in a public-facing file management application, directly enabling unauthorized remote reading of text file contents (e.g., configs, scripts, logs) from the local system directory.
NVD Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the resourceGetHandler in http/resource.go returns full text file content without checking the Perm.Download permission flag. All three other…
more
content-serving endpoints (/api/raw, /api/preview, /api/subtitle) correctly verify this permission before serving content. A user with download: false can read any text file within their scope through two bypass paths. This vulnerability is fixed in 2.63.1.
Deeper analysisAI
CVE-2026-35606 affects File Browser, an open-source file managing interface for uploading, deleting, previewing, renaming, and editing files in a specified directory. In versions prior to 2.63.1, the resourceGetHandler function in http/resource.go fails to check the Perm.Download permission flag before returning the full content of text files. While other endpoints such as /api/raw, /api/preview, and /api/subtitle properly verify this permission, this oversight creates a bypass allowing unauthorized access to text file contents. The vulnerability is classified under CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact accessible over the network without privileges.
Any network-accessible user, including those without download permissions (download: false), can exploit this vulnerability to read the full contents of any text file within their scoped directory via two specific bypass paths in the resourceGetHandler. Attackers require no special privileges or user interaction, enabling remote unauthorized disclosure of sensitive text-based data such as configuration files, scripts, or logs that would otherwise be protected by permission settings.
The GitHub Security Advisory (GHSA-67cg-cpj7-qgc9) confirms the issue and states that it is fixed in File Browser version 2.63.1, recommending immediate upgrade to the patched release for mitigation. No workarounds are detailed in the provided references.
Details
- CWE(s)