CVE-2026-27611 PUBLISHED

FileBrowser Quantum: Password Protection Not Enforced on Shared File Links

Assigner: GitHub_M
Reserved: 20.02.2026 Published: 25.02.2026 Updated: 25.02.2026

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 7.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	Low	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	gtsteffaniak
Product	filebrowser
Versions	Version < 1.1.3-stable is affected Version >= 1.2.0-beta, < 1.2.6-beta is affected

References

Problem Types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE
CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE
CWE-287: Improper Authentication CWE