What is CVE-2026-28492?

### Summary When a user creates a public share link for a **directory**, the `withHashFile` middleware in `http/public.go` (line 59) uses `filepath.Dir(link.Path)` to compute the `BasePathFs` root. This sets the filesystem root to the **parent directory** instead of the shared directory itself, allowing anyone with the share link to browse and download files from all sibling directories. ### Details In `http/public.go` lines 52-64, the `withHashFile` function handles public share link requests: ```go basePath := link.Path // e.g. "/documents/shared" filePath := "" if file.IsDir { basePath = filepath.Dir(basePath) // BUG: becomes "/documents" (parent!) filePath = ifPath } d.user.Fs = afero.NewBasePathFs(d.user.Fs, basePath) ``` When a directory at `/documents/shared` is shared, `filepath.Dir("/documents/shared")` evaluates to `"/documents"`. The `BasePathFs` is then rooted at the parent directory `/documents/`, giving the share link access to **everything** under `/documents/` - not just the intended `/documents/shared/`. This affects both `publicShareHandler` (directory listing via `/api/public/share/{hash}`) and `publicDlHandler` (file download via `/api/public/dl/{hash}/path`). ### PoC 1. Set up filebrowser with a user whose scope contains: 2. - `/documents/shared/public-file.txt` (intended to be shared) 3. - `/documents/secrets/passwords.txt` (NOT intended to be shared) 4. - `/documents/private/financial.csv` (NOT intended to be shared) 2. Create a public share link for the directory `/documents/shared` (via POST `/api/share/documents/shared`) 3. Access the share link: `GET /api/public/share/{hash}` 4. - **Expected**: Lists only contents of `/documents/shared/` 5. - **Actual**: Lists contents of `/documents/` (parent), revealing `secrets/`, `private/`, and `shared/` directories 4. Download sibling files: `GET /api/public/dl/{hash}/secrets/passwords.txt` 5. - **Expected**: 404 or 403 (file outside share scope) 6. - **Actual**: 200 with file contents (sibling file downloaded successfully) **Standalone Go test** reproducing the exact vulnerable code path with `afero.NewBasePathFs`: ```go func TestShareScopeEscape(t *testing.T) { baseFs := afero.NewMemMapFs() afero.WriteFile(baseFs, "/documents/shared/public.txt", []byte("public"), 0644) afero.WriteFile(baseFs, "/documents/secrets/passwords.txt", []byte("admin:hunter2"), 0644) linkPath := "/documents/shared" basePath := filepath.Dir(linkPath) // BUG: "/documents" scopedFs := afero.NewBasePathFs(baseFs, basePath) // Sibling file is accessible through the share: f, err := scopedFs.Open("/secrets/passwords.txt") // err is nil - file accessible! Content: "admin:hunter2" } ``` This test passes, confirming the vulnerability. ### Impact **Unauthenticated information disclosure (CWE-200, CWE-706)**. Anyone with a public share link for a directory can: - Browse all sibling directories and files of the shared directory - - Download any file within the parent directory scope - - This works without authentication (public shares) or after providing the share password (password-protected shares) All filebrowser v2.x installations that use directory sharing are affected. ### Recommended Fix Remove the `filepath.Dir()` call and use `link.Path` directly as the `BasePathFs` root: ```go if file.IsDir { // Don't change basePath - keep it as link.Path filePath = ifPath } d.user.Fs = afero.NewBasePathFs(d.user.Fs, basePath) ``` **Affected commit**: e3d00d591b567a8bfe3b02e42ba586859002c77d (latest) **File**: `http/public.go`, line 59

What is the severity of CVE-2026-28492?

CVE-2026-28492 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-28492?

No known public exploits are currently available for CVE-2026-28492.

Is there a patch available for CVE-2026-28492?

Yes, patches are available for CVE-2026-28492. Check the vendor advisories for update instructions.

CVE-2026-28492 - CVE Details, Severity, and Analysis

Published: March 10, 2026

Last updated:16 hours ago (March 10, 2026)

Updated March 10, 2026

no major risk factors

Summary

When a user creates a public share link for a directory, the withHashFile middleware in http/public.go (line 59) uses filepath.Dir(link.Path) to compute the BasePathFs root. This sets the filesystem root to the parent directory instead of the shared directory itself, allowing anyone with the share link to browse and download files from all sibling directories.

Details

In http/public.go lines 52-64, the withHashFile function handles public share link requests:

basePath := link.Path    // e.g. "/documents/shared"
filePath := ""

if file.IsDir {
    basePath = filepath.Dir(basePath)  // BUG: becomes "/documents" (parent!)
    filePath = ifPath
}

d.user.Fs = afero.NewBasePathFs(d.user.Fs, basePath)

When a directory at /documents/shared is shared, filepath.Dir("/documents/shared") evaluates to "/documents". The BasePathFs is then rooted at the parent directory /documents/, giving the share link access to everything under /documents/ - not just the intended /documents/shared/.

This affects both publicShareHandler (directory listing via /api/public/share/{hash}) and publicDlHandler (file download via /api/public/dl/{hash}/path).

PoC

Set up filebrowser with a user whose scope contains:
- /documents/shared/public-file.txt (intended to be shared)
- /documents/secrets/passwords.txt (NOT intended to be shared)
- /documents/private/financial.csv (NOT intended to be shared)
Create a public share link for the directory /documents/shared (via POST /api/share/documents/shared)
Access the share link: GET /api/public/share/{hash}
- Expected: Lists only contents of /documents/shared/
- Actual: Lists contents of /documents/ (parent), revealing secrets/, private/, and shared/ directories
Download sibling files: GET /api/public/dl/{hash}/secrets/passwords.txt
- Expected: 404 or 403 (file outside share scope)
- Actual: 200 with file contents (sibling file downloaded successfully) Standalone Go test reproducing the exact vulnerable code path with afero.NewBasePathFs:

func TestShareScopeEscape(t *testing.T) {
    baseFs := afero.NewMemMapFs()
    afero.WriteFile(baseFs, "/documents/shared/public.txt", []byte("public"), 0644)
    afero.WriteFile(baseFs, "/documents/secrets/passwords.txt", []byte("admin:hunter2"), 0644)

    linkPath := "/documents/shared"
    basePath := filepath.Dir(linkPath) // BUG: "/documents"
    scopedFs := afero.NewBasePathFs(baseFs, basePath)

    // Sibling file is accessible through the share:
    f, err := scopedFs.Open("/secrets/passwords.txt")
    // err is nil - file accessible! Content: "admin:hunter2"
}

This test passes, confirming the vulnerability.

Impact

Unauthenticated information disclosure (CWE-200, CWE-706). Anyone with a public share link for a directory can:

Browse all sibling directories and files of the shared directory
- Download any file within the parent directory scope
- This works without authentication (public shares) or after providing the share password (password-protected shares) All filebrowser v2.x installations that use directory sharing are affected.

Recommended Fix

Remove the filepath.Dir() call and use link.Path directly as the BasePathFs root:

if file.IsDir {
    // Don't change basePath - keep it as link.Path
    filePath = ifPath
}
d.user.Fs = afero.NewBasePathFs(d.user.Fs, basePath)

Affected commit: e3d00d591b567a8bfe3b02e42ba586859002c77d (latest) File: http/public.go, line 59

Strobes VI. (2026). CVE-2026-28492 - CVE Details and Analysis. Strobes VI. Retrieved March 10, 2026, from https://vi.strobes.co/cve/CVE-2026-28492