FileBrowser, Path Traversal, CVE-2026-28492 (High)

By /

Listen to this Post

The vulnerability arises because FileBrowser’s public share link handler sanitizes user-supplied paths incorrectly. Specifically, when a public share is created with delete permissions, the application constructs the full filesystem path by joining a trusted base path with an attacker‑controlled path parameter before calling the sanitization routine. This order of operations allows an unauthenticated attacker to inject path traversal sequences (../) into the `path` query parameter of a DELETE request. The join operation resolves the traversal sequences, producing a path that points outside the intended shared directory. Only after the join does the application call SanitizeUserPath(), which is now too late to prevent the escape. Because the middleware does not re‑validate the final path against the share’s scope, the server proceeds to delete the file located at the resolved path. The same flaw exists in the bulk DELETE endpoint, where the same unsanitized path is accepted in the request body. Consequently, an attacker who possesses a valid public share hash and has delete permissions enabled can delete arbitrary files anywhere within the share owner’s storage scope, leading to unauthorized data loss or service disruption.

DailyCVE Form

Platform: FileBrowser
Version: <2.61.0
Vulnerability: Path Traversal
Severity: High
date: 2026‑03‑05

Prediction: 2026‑04‑10

Analytics under What Undercode Say:

Identify vulnerable endpoints
curl -X DELETE "http://localhost/public/api/resources?hash=<HASH>&path=../protected.txt"
Bulk delete PoC
curl -X DELETE "http://localhost/public/api/resources/bulk?hash=<HASH>" \
-H "Content-Type: application/json" \
-d '[{"path":"../protected.txt"}]'
Check for path sanitization order in source (line numbers are illustrative)
grep -n "SanitizeUserPath" middleware.go resource.go

Exploit:

An attacker who obtains a public share link (e.g., via social engineering or from a previous leak) can send a DELETE request to the `/public/api/resources` endpoint with a `path` parameter containing ../. For example, if the shared directory is /folder/shared_subdir/, the request `/public/api/resources?hash=&path=../protected.txt` will cause the server to delete `/folder/protected.txt` even though it resides outside the shared directory.

Protection from this CVE

  • Upgrade to FileBrowser version 2.61.0 or later.
  • If immediate upgrade is not possible, revoke all existing public share links and disable delete permissions for all shares.
  • Validate all user‑supplied paths before joining them with the base directory.
  • Use a safe path‑sanitization function that removes `../` sequences before any filesystem operation.

Impact

  • Unauthenticated deletion of arbitrary files within the share owner’s storage scope.
  • Permanent data loss for victim organisations.
  • Potential service disruption if critical system files are removed.
  • Attack requires only a valid public share hash with delete permissions enabled (no additional privileges).

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top