CVE-2026-28492: FileBrowser has Path Traversal in Public Share Links that Exposes Files Outside Shared Directory
(updated )
When a user creates a public share link for a directory, the withHashFile middleware in http/public.go (line 59) uses filepath.Dir(link.Path) to compute the BasePathFs root. This sets the filesystem root to the parent directory instead of the shared directory itself, allowing anyone with the share link to browse and download files from all sibling directories.
References
- github.com/advisories/GHSA-mr74-928f-rw69
- github.com/filebrowser/filebrowser
- github.com/filebrowser/filebrowser/commit/31194fb57a5b92e7155219d7ec7273028fcb2e83
- github.com/filebrowser/filebrowser/releases/tag/v2.61.0
- github.com/filebrowser/filebrowser/security/advisories/GHSA-mr74-928f-rw69
- nvd.nist.gov/vuln/detail/CVE-2026-28492
Code Behaviors & Features
Detect and mitigate CVE-2026-28492 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →