SeverityHIGH
Repositoryfilebrowser/filebrowser
PublishedApr 8, 2026, 12:04 AM
Refa8fc1657b796c5da7190466beff13e680721b6d3
Advisory summary
File Browser share links remain accessible after Share/Download permissions are revoked
Curator analysis
Synopsis
Public share download access does not re-validate the share owner's current Share and Download permissions, so previously created share links remain accessible after those permissions are revoked.
Vulnerability classes
authorization policy bypassimproper access control
Sink hints
http/public.go
The advisory identifies withHashFile in this file as the public share access path that loads the share and owner but omits a current permission check before serving the file.
http/share.go
This file contains the share creation guard that correctly requires both Share and Download permissions, providing the intended policy to compare against the public access flow.
Expected components
public share download flowwithHashFileshare permission guard
Model scores(5)
openai/gpt-5.4excellent
100.00View trace
Target Alignment
30
Source To Sink Reasoning
30
Impact And Exploitability
20
Evidence Quality
10
Overclaim Control
10
anthropic/claude-opus-4.6excellent
98.00View trace
Target Alignment
30
Source To Sink Reasoning
29
Impact And Exploitability
19
Evidence Quality
10
Overclaim Control
10
z-ai/glm-5.1excellent
97.00View trace
Target Alignment
30
Source To Sink Reasoning
29
Impact And Exploitability
19
Evidence Quality
10
Overclaim Control
9
moonshotai/kimi-k2.5excellent
96.00View trace
Target Alignment
9.8
Source To Sink Reasoning
9.6
Impact And Exploitability
9.2
Evidence Quality
9.4
Overclaim Control
9.1
google/gemini-3.1-pro-previewexcellent
95.00View trace
Target Alignment
29
Source To Sink Reasoning
29
Impact And Exploitability
18
Evidence Quality
9
Overclaim Control
10