平台
go
组件
github.com/gtsteffaniak/filebrowser/backend
修复版本
1.1.4
1.2.1
0.0.0-20260221163904-dbcfba993b85
CVE-2026-27611 is a security vulnerability affecting the File Browser Backend, a Go-based file management application. This flaw allows unauthorized users to bypass password protection on shared files, granting them direct access to download the content. The vulnerability impacts versions prior to 0.0.0-20260221163904-dbcfba993b85, and a fix has been released.
The primary impact of CVE-2026-27611 is the unauthorized disclosure of sensitive files. An attacker possessing the share link can bypass the password requirement and directly download the protected file. This poses a significant risk to data confidentiality, particularly if the shared files contain confidential documents, personal information, or proprietary data. The blast radius extends to any user who shares files through File Browser Backend, as the share link can be distributed widely, potentially exposing the files to a large number of unauthorized individuals. While the vulnerability doesn't directly lead to system compromise, the data exposure can have severe consequences depending on the nature of the files.
CVE-2026-27611 was publicly disclosed on February 25, 2026. A proof-of-concept (PoC) demonstrating the vulnerability is available, indicating a relatively low barrier to exploitation. The vulnerability is not currently listed on CISA KEV as of this writing, and there are no reports of active exploitation campaigns. The NVD entry was published on the same date as the public disclosure.
Organizations and individuals using File Browser Backend to share files, particularly those relying on password protection for sensitive data, are at risk. Shared hosting environments where multiple users share the same File Browser Backend instance are especially vulnerable, as a compromised share link could expose files belonging to other users.
• linux / server: Monitor File Browser Backend access logs for requests to the direct download link endpoint, especially those originating from unexpected IP addresses. Use journalctl -u filebrowser to review logs for suspicious activity.
journalctl -u filebrowser | grep 'direct download link'• generic web: Use curl to test share links and verify password protection is enforced. Check response headers for unauthorized access.
curl -I <share_link>disclosure
漏洞利用状态
EPSS
0.03% (10% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-27611 is to upgrade to version 0.0.0-20260221163904-dbcfba993b85 or later. If an immediate upgrade is not feasible, consider temporarily disabling the file sharing feature or restricting access to the File Browser Backend to trusted users only. While a direct WAF rule is difficult to implement without modifying the application, monitoring for unusual download patterns from shares could provide an early warning. There are no specific Sigma or YARA patterns available for this vulnerability at this time.
将 FileBrowser Quantum 更新到 1.1.3-stable 或 1.2.6-beta 或更高版本。 这修复了允许用户绕过共享文件链接上的密码保护的漏洞。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-27611 is a vulnerability in the File Browser Backend that allows attackers to bypass password protection on shared files by exploiting a direct download link.
You are affected if you are using File Browser Backend versions prior to 0.0.0-20260221163904-dbcfba993b85 and are sharing files with password protection.
Upgrade to version 0.0.0-20260221163904-dbcfba993b85 or later to patch the vulnerability. If immediate upgrade is not possible, disable file sharing or restrict access.
There are currently no confirmed reports of active exploitation, but a public proof-of-concept exists, indicating a potential risk.
Refer to the File Browser Backend project's repository or website for the official advisory and release notes.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 go.mod 文件,立即知道是否受影响。