Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-54091
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-25 Jun, 2026 | 17:43
Updated At-26 Jun, 2026 | 18:42
Rejected At-
▼CVE Numbering Authority (CNA)
File Browser: Incorrect access control in public directory shares via rule path rebasing

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, File Browser's public share handlers rebase the share owner's filesystem root to the shared directory and then evaluate descendant paths against the owner's global and per-user rules using the rebased relative path instead of the original path relative to the owner's scope. As a result, an attacker who knows a public directory share URL can access files and subdirectories that the owner explicitly blocked with rules, as long as those blocked paths are located underneath the shared directory. In the simplest case this is an unauthenticated information disclosure through `GET /api/public/share/*` and `GET /api/public/dl/*`. This vulnerability is fixed in 2.63.6.

Affected Products
Vendor
filebrowser
Product
filebrowser
Versions
Affected
  • < 2.63.6
Problem Types
TypeCWE IDDescription
CWECWE-863CWE-863: Incorrect Authorization
Type: CWE
CWE ID: CWE-863
Description: CWE-863: Incorrect Authorization
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-j9jx-hp4c-ghhh
x_refsource_CONFIRM
https://github.com/filebrowser/filebrowser/commit/e07c59df0b850f5924d5b1683e8609661ddcf534
x_refsource_MISC
https://github.com/filebrowser/filebrowser/releases/tag/v2.63.6
x_refsource_MISC
Hyperlink: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-j9jx-hp4c-ghhh
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/filebrowser/filebrowser/commit/e07c59df0b850f5924d5b1683e8609661ddcf534
Resource:
x_refsource_MISC
Hyperlink: https://github.com/filebrowser/filebrowser/releases/tag/v2.63.6
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Details not found