CVE-2026-30933 - Vulnerability Details - OpenCVE

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable
https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta
https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f

History

Tue, 10 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Mar 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.
Title		FileBrowser Quantum Incomplete Remediation of CVE-2026-27611: Password-Protected Share Bypass via /public/api/share/info
Weaknesses		CWE-200 CWE-306 CWE-602
References		https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-10T16:10:56.494Z

Updated: 2026-03-10T16:41:10.543Z

Reserved: 2026-03-07T16:40:05.885Z

Link: CVE-2026-30933

Vulnrichment

Updated: 2026-03-10T16:40:56.028Z

NVD

No data.

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30933", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T16:40:05.885Z", "datePublished": "2026-03-10T16:10:56.494Z", "dateUpdated": "2026-03-10T16:41:10.543Z"}, "containers": {"cna": {"title": "FileBrowser Quantum Incomplete Remediation of CVE-2026-27611: Password-Protected Share Bypass via /public/api/share/info", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-602", "lang": "en", "description": "CWE-602: Client-Side Enforcement of Server-Side Security", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f"}, {"name": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable", "tags": ["x_refsource_MISC"], "url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable"}, {"name": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta", "tags": ["x_refsource_MISC"], "url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta"}], "affected": [{"vendor": "gtsteffaniak", "product": "filebrowser", "versions": [{"version": ">= 1.3.0-beta, < 1.3.1-beta", "status": "affected"}, {"version": ">= 1.2.6-beta, < 1.2.2-stable", "status": "affected"}, {"version": "= 1.1.3-stable", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T16:10:56.494Z"}, "descriptions": [{"lang": "en", "value": "FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable."}], "source": {"advisory": "GHSA-525j-95gf-766f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30933", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T16:38:31.235168Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T16:41:10.543Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30933", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T16:38:31.235168Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T16:40:56.028Z"}}], "cna": {"title": "FileBrowser Quantum Incomplete Remediation of CVE-2026-27611: Password-Protected Share Bypass via /public/api/share/info", "source": {"advisory": "GHSA-525j-95gf-766f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "gtsteffaniak", "product": "filebrowser", "versions": [{"status": "affected", "version": ">= 1.3.0-beta, < 1.3.1-beta"}, {"status": "affected", "version": ">= 1.2.6-beta, < 1.2.2-stable"}, {"status": "affected", "version": "= 1.1.3-stable"}]}], "references": [{"url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f", "name": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable", "name": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta", "name": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-602", "description": "CWE-602: Client-Side Enforcement of Server-Side Security"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T16:10:56.494Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30933", "state": "PUBLISHED", "dateUpdated": "2026-03-10T16:41:10.543Z", "dateReserved": "2026-03-07T16:40:05.885Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T16:10:56.494Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}