CVE-2026-35606: File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check

April 8, 2026

The resourceGetHandler in http/resource.go returns full text file content without checking the Perm.Download permission flag. All three other content-serving endpoints (/api/raw, /api/preview, /api/subtitle) correctly verify this permission before serving content. A user with download: false can read any text file within their scope through two bypass paths.

Confirmed on v2.62.2 (commit 860c19d).

References

github.com/advisories/GHSA-67cg-cpj7-qgc9
github.com/filebrowser/filebrowser
github.com/filebrowser/filebrowser/security/advisories/GHSA-67cg-cpj7-qgc9
nvd.nist.gov/vuln/detail/CVE-2026-35606

Code Behaviors & Features

Detect and mitigate CVE-2026-35606 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →