Platform
go
Component
github.com/gtsteffaniak/filebrowser/backend
Fixed in
1.1.4
1.2.1
0.0.0-20260221163904-dbcfba993b85
CVE-2026-27611 is a security vulnerability affecting the File Browser Backend, a Go-based file management application. This flaw allows unauthorized users to bypass password protection on shared files, granting them direct access to download the content. The vulnerability impacts versions prior to 0.0.0-20260221163904-dbcfba993b85, and a fix has been released.
The primary impact of CVE-2026-27611 is the unauthorized disclosure of sensitive files. An attacker possessing the share link can bypass the password requirement and directly download the protected file. This poses a significant risk to data confidentiality, particularly if the shared files contain confidential documents, personal information, or proprietary data. The blast radius extends to any user who shares files through File Browser Backend, as the share link can be distributed widely, potentially exposing the files to a large number of unauthorized individuals. While the vulnerability doesn't directly lead to system compromise, the data exposure can have severe consequences depending on the nature of the files.
CVE-2026-27611 was publicly disclosed on February 25, 2026. A proof-of-concept (PoC) demonstrating the vulnerability is available, indicating a relatively low barrier to exploitation. The vulnerability is not currently listed on CISA KEV as of this writing, and there are no reports of active exploitation campaigns. The NVD entry was published on the same date as the public disclosure.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-27611 is to upgrade to version 0.0.0-20260221163904-dbcfba993b85 or later. If an immediate upgrade is not feasible, consider temporarily disabling the file sharing feature or restricting access to the File Browser Backend to trusted users only. While a direct WAF rule is difficult to implement without modifying the application, monitoring for unusual download patterns from shares could provide an early warning. There are no specific Sigma or YARA patterns available for this vulnerability at this time.
Update FileBrowser Quantum to version 1.1.3-stable or 1.2.6-beta or higher. This corrects the vulnerability that allows users to bypass password protection on shared file links.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27611 is a vulnerability in the File Browser Backend that allows attackers to bypass password protection on shared files by exploiting a direct download link.
You are affected if you are using File Browser Backend versions prior to 0.0.0-20260221163904-dbcfba993b85 and are sharing files with password protection.
Upgrade to version 0.0.0-20260221163904-dbcfba993b85 or later to patch the vulnerability. If immediate upgrade is not possible, disable file sharing or restrict access.
There are currently no confirmed reports of active exploitation, but a public proof-of-concept exists, indicating a potential risk.
Refer to the File Browser Backend project's repository or website for the official advisory and release notes.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.