#VU125403 Incorrect authorization in FileBrowser - CVE-2026-35604
Published: April 8, 2026
Vulnerability identifier: #VU125403
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-35604
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
FileBrowser
FileBrowser
Software vendor:
File Browser
File Browser
Description
The vulnerability allows a remote attacker to disclose files through previously created share links after permissions are revoked.
The vulnerability exists due to incorrect authorization in the public share download handler when processing requests for existing public share links after an administrator revokes the share owner's Share and Download permissions. A remote attacker can request a previously issued share link to disclose files through previously created share links after permissions are revoked.
The issue affects existing public share links created before the permission change, while creation of new share links is correctly blocked.
Remediation
Install security update from vendor's website.