प्लेटफ़ॉर्म
go
घटक
github.com/gtsteffaniak/filebrowser/backend
में ठीक किया गया
1.1.4
1.2.1
0.0.0-20260221163904-dbcfba993b85
CVE-2026-27611 is a security vulnerability affecting the File Browser Backend, a Go-based file management application. This flaw allows unauthorized users to bypass password protection on shared files, granting them direct access to download the content. The vulnerability impacts versions prior to 0.0.0-20260221163904-dbcfba993b85, and a fix has been released.
The primary impact of CVE-2026-27611 is the unauthorized disclosure of sensitive files. An attacker possessing the share link can bypass the password requirement and directly download the protected file. This poses a significant risk to data confidentiality, particularly if the shared files contain confidential documents, personal information, or proprietary data. The blast radius extends to any user who shares files through File Browser Backend, as the share link can be distributed widely, potentially exposing the files to a large number of unauthorized individuals. While the vulnerability doesn't directly lead to system compromise, the data exposure can have severe consequences depending on the nature of the files.
CVE-2026-27611 was publicly disclosed on February 25, 2026. A proof-of-concept (PoC) demonstrating the vulnerability is available, indicating a relatively low barrier to exploitation. The vulnerability is not currently listed on CISA KEV as of this writing, and there are no reports of active exploitation campaigns. The NVD entry was published on the same date as the public disclosure.
Organizations and individuals using File Browser Backend to share files, particularly those relying on password protection for sensitive data, are at risk. Shared hosting environments where multiple users share the same File Browser Backend instance are especially vulnerable, as a compromised share link could expose files belonging to other users.
• linux / server: Monitor File Browser Backend access logs for requests to the direct download link endpoint, especially those originating from unexpected IP addresses. Use journalctl -u filebrowser to review logs for suspicious activity.
journalctl -u filebrowser | grep 'direct download link'• generic web: Use curl to test share links and verify password protection is enforced. Check response headers for unauthorized access.
curl -I <share_link>disclosure
एक्सप्लॉइट स्थिति
EPSS
0.03% (10% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-27611 is to upgrade to version 0.0.0-20260221163904-dbcfba993b85 or later. If an immediate upgrade is not feasible, consider temporarily disabling the file sharing feature or restricting access to the File Browser Backend to trusted users only. While a direct WAF rule is difficult to implement without modifying the application, monitoring for unusual download patterns from shares could provide an early warning. There are no specific Sigma or YARA patterns available for this vulnerability at this time.
FileBrowser Quantum को संस्करण 1.1.3-stable या 1.2.6-beta या उच्चतर में अपडेट करें। यह साझा फ़ाइल लिंक पर पासवर्ड सुरक्षा को बाईपास करने की अनुमति देने वाले भेद्यता को ठीक करता है।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-27611 is a vulnerability in the File Browser Backend that allows attackers to bypass password protection on shared files by exploiting a direct download link.
You are affected if you are using File Browser Backend versions prior to 0.0.0-20260221163904-dbcfba993b85 and are sharing files with password protection.
Upgrade to version 0.0.0-20260221163904-dbcfba993b85 or later to patch the vulnerability. If immediate upgrade is not possible, disable file sharing or restrict access.
There are currently no confirmed reports of active exploitation, but a public proof-of-concept exists, indicating a potential risk.
Refer to the File Browser Backend project's repository or website for the official advisory and release notes.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी go.mod फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।