CVE-2026-61874
Wolfi Análisis y mitigación de vulnerabilidades

Vista general

CVE-2026-61874 is a path normalization flaw in filebrowser (the open-source web-based file manager) that allows authenticated users to leave stale public shares behind by deleting a shared directory using a trailing-slash path. Affected versions are all releases before 2.63.17 (i.e., ≤ 2.63.16); version 2.63.17 contains the fix. The vulnerability was published on July 12, 2026, with the underlying security advisory (GHSA-pp88-jhwj-5qh5) originally authored by maintainer hacdias and credited to reporter DavidCarliez. It carries a CVSS v3.1 base score of 3.1 (Low) and a CVSS v4.0 base score of 2.3 (Low) (GitHub Advisory, Security Advisory).

Técnicas

The root cause is an incorrect authorization check (CWE-863) in storage/bolt/share.go. The DeleteWithPathPrefix function performs a Bolt database prefix query using the raw, unnormalized path argument before trimming the trailing slash — meaning a request for /a/ queries for paths prefixed by /a/, which returns child entries but not the exact share stored at /a. The TrimRight normalization occurs only afterward in the loop boundary check, so the exact share row is never loaded and never deleted. In http/resource.go, the request-derived path (including the trailing slash) is passed directly into this cleanup before the filesystem RemoveAll call, so the directory is physically removed while the public share record persists in storage. If the same directory path is later recreated, the dormant share URL becomes active again and exposes the new directory contents to unauthenticated users (Security Advisory).

Impacto

Successful exploitation results in unintended data disclosure: an authenticated attacker can cause future files placed in a recreated directory to be accessible to unauthenticated users via a dormant public share URL, bypassing the intended share lifecycle cleanup. The confidentiality impact is limited to files within the recreated directory scope, and there is no integrity or availability impact. There is no evidence of lateral movement potential, but sensitive files placed in the affected path after directory recreation would be exposed without any authentication requirement (Security Advisory, GitHub Advisory).

Pasos de explotación

  1. Obtain authenticated access: Log in to a filebrowser instance (version ≤ 2.63.16) with an account that has share, download, and delete permissions.
  2. Create a shared directory: Create a directory (e.g., /a) and upload a file (e.g., /a/old.txt). Create a public share for /a, noting the resulting public share hash (e.g., hash h).
  3. Delete the directory with a trailing slash: Send an authenticated DELETE request to /api/resources/a/ (note the trailing slash). The filesystem directory is removed, but the share record for /a remains in the Bolt database because DeleteWithPathPrefix("/a/", userID) queries for prefix /a/ and misses the exact /a entry.
  4. Verify the stale share: Confirm the share hash h still exists in storage (the public URL is now dormant since the path no longer exists on disk).
  5. Recreate the directory with new content: Create /a/future.txt (or any new content) under the same path /a.
  6. Access new content unauthenticated: Request the public share URL (e.g., /share/h/) without authentication and observe that future.txt is listed and accessible, exposing the new directory contents through the old share link (Security Advisory).

Indicadores de compromiso

  • Logs: Authenticated DELETE requests to API paths ending with a trailing slash (e.g., DELETE /api/resources/<dirname>/) followed shortly by directory recreation at the same path; access log entries showing unauthenticated GET requests to /share/<hash>/ for shares associated with previously deleted directories.
  • File System: Presence of files in a directory that was previously deleted, where a public share for that path still exists in the Bolt database (share.db).
  • Application State: Share records in the filebrowser Bolt database (share.db) referencing paths that do not currently exist on disk — these represent dormant stale shares that may become active upon directory recreation (Security Advisory).

Mitigación y soluciones alternativas

Update filebrowser to version 2.63.17 or later, which normalizes paths before querying the share index in DeleteWithPathPrefix and adds regression tests for this scenario. As interim measures, administrators should audit all active public shares and revoke any that reference paths no longer intended to be shared, restrict share/delete permissions to only trusted users, and monitor for suspicious patterns of directory deletion followed by recreation at the same path. No configuration-only workaround is available that fully mitigates the flaw without upgrading (Security Advisory, GitHub Advisory).

Recursos adicionales


FuenteEste informe se generó utilizando IA

Relacionado Wolfi Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2026-57156HIGH8.6
  • Wolfi logoWolfi
  • freerdp
NoJul 10, 2026
CVE-2026-54174HIGH8.3
  • Wolfi logoWolfi
  • dagdotdev
NoJul 10, 2026
CVE-2026-57157MEDIUM6.5
  • Wolfi logoWolfi
  • freerdp3
NoNoJul 10, 2026
CVE-2026-57158MEDIUM5.1
  • Wolfi logoWolfi
  • libwinpr-devel
NoNoJul 10, 2026
CVE-2026-61874LOW2.3
  • Wolfi logoWolfi
  • filebrowser
NoJul 12, 2026

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades