CVE-2026-30933: FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info

March 9, 2026 (updated April 27, 2026)

The remediation for CVE-2026-27611 appears incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info in docker image gtstef/filebrowser:1.3.1-webdav-2.

References

github.com/advisories/GHSA-525j-95gf-766f
github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable
github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta
github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f
nvd.nist.gov/vuln/detail/CVE-2026-30933

Code Behaviors & Features

Detect and mitigate CVE-2026-30933 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →