CVE-2026-35604: File Browser share links remain accessible after Share/Download permissions are revoked

April 8, 2026

When an admin revokes a user’s Share and Download permissions, existing share links created by that user remain fully accessible to unauthenticated users. The public share download handler does not re-check the share owner’s current permissions. Verified with a running PoC against v2.62.2 (commit 860c19d).

References

github.com/advisories/GHSA-v9w4-gm2x-6rvf
github.com/filebrowser/filebrowser
github.com/filebrowser/filebrowser/pull/5888
github.com/filebrowser/filebrowser/security/advisories/GHSA-v9w4-gm2x-6rvf
nvd.nist.gov/vuln/detail/CVE-2026-35604

Code Behaviors & Features

Detect and mitigate CVE-2026-35604 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →