Cyber Resilience

CVE-2026-35606

MediumPublic PoC

Published: 07 April 2026

Published
07 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 13.4th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35606 is a medium-severity Missing Authorization (CWE-862) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 13.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-35606 affects File Browser, an open-source file managing interface for uploading, deleting, previewing, renaming, and editing files in a specified directory. In versions prior to 2.63.1, the resourceGetHandler function in http/resource.go fails to check the Perm.Download permission flag before returning the full content of text files. While other endpoints such as /api/raw, /api/preview, and /api/subtitle properly verify this permission, this oversight creates a bypass allowing unauthorized access to text file contents. The vulnerability is classified under CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact accessible over the network without privileges.

Any network-accessible user, including those without download permissions (download: false), can exploit this vulnerability to read the full contents of any text file within their scoped directory via two specific bypass paths in the resourceGetHandler. Attackers require no special privileges or user interaction, enabling remote unauthorized disclosure of sensitive text-based data such as configuration files, scripts, or logs that would otherwise be protected by permission settings.

The GitHub Security Advisory (GHSA-67cg-cpj7-qgc9) confirms the issue and states that it is fixed in File Browser version 2.63.1, recommending immediate upgrade to the patched release for mitigation. No workarounds are detailed in the provided references.

EU & UK References

Vulnerability details

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the resourceGetHandler in http/resource.go returns full text file content without checking the Perm.Download permission flag. All three other…

more

content-serving endpoints (/api/raw, /api/preview, /api/subtitle) correctly verify this permission before serving content. A user with download: false can read any text file within their scope through two bypass paths. This vulnerability is fixed in 2.63.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

The vulnerability bypasses permission checks in a public-facing file management application, directly enabling unauthorized remote reading of text file contents (e.g., configs, scripts, logs) from the local system directory.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-30933Same product: Filebrowser Filebrowser
CVE-2026-25890Same product: Filebrowser Filebrowser
CVE-2026-32760Same product: Filebrowser Filebrowser
CVE-2026-34528Same product: Filebrowser Filebrowser
CVE-2026-30934Same product: Filebrowser Filebrowser
CVE-2025-53826Same product: Filebrowser Filebrowser
CVE-2026-29188Same product: Filebrowser Filebrowser
CVE-2026-35607Same product: Filebrowser Filebrowser
CVE-2026-32759Same product: Filebrowser Filebrowser
CVE-2026-34529Same product: Filebrowser Filebrowser

Affected Assets

filebrowser
filebrowser
≤ 2.63.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates enforcement of approved authorizations for accessing file contents, directly addressing the missing Perm.Download check in resourceGetHandler that allows unauthorized text file disclosure.

prevent

Requires identification, reporting, and timely remediation of flaws like the authorization bypass, as implemented in the patch for File Browser version 2.63.1.

prevent

Employs least privilege to restrict user permissions, limiting the scope and impact of data accessible through the authorization bypass paths.

References