CVE-2026-27611 HIGH

CVE-2026-27611: FileBrowser Quantum: Password Protection Not Enforced on Shared File Links

Vendor Gtsteffaniak
Product filebrowser
Weakness CWE-200 · Info exposure
Published February 25, 2026
Last update February 27, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue.

Key dates

02Disclosure timeline

February 25, 2026 CVE published
February 27, 2026 Record updated