CVE-2026-61874:
Wolfi Análisis y mitigación de vulnerabilidades
Vista general
CVE-2026-61874 is a path normalization flaw in filebrowser (the open-source web-based file manager) that allows authenticated users to leave stale public shares behind by deleting a shared directory using a trailing-slash path. Affected versions are all releases before 2.63.17 (i.e., ≤ 2.63.16); version 2.63.17 contains the fix. The vulnerability was published on July 12, 2026, with the underlying security advisory (GHSA-pp88-jhwj-5qh5) originally authored by maintainer hacdias and credited to reporter DavidCarliez. It carries a CVSS v3.1 base score of 3.1 (Low) and a CVSS v4.0 base score of 2.3 (Low) (GitHub Advisory, Security Advisory).
Técnicas
The root cause is an incorrect authorization check (CWE-863) in storage/bolt/share.go. The DeleteWithPathPrefix function performs a Bolt database prefix query using the raw, unnormalized path argument before trimming the trailing slash — meaning a request for /a/ queries for paths prefixed by /a/, which returns child entries but not the exact share stored at /a. The TrimRight normalization occurs only afterward in the loop boundary check, so the exact share row is never loaded and never deleted. In http/resource.go, the request-derived path (including the trailing slash) is passed directly into this cleanup before the filesystem RemoveAll call, so the directory is physically removed while the public share record persists in storage. If the same directory path is later recreated, the dormant share URL becomes active again and exposes the new directory contents to unauthenticated users (Security Advisory).
Impacto
Successful exploitation results in unintended data disclosure: an authenticated attacker can cause future files placed in a recreated directory to be accessible to unauthenticated users via a dormant public share URL, bypassing the intended share lifecycle cleanup. The confidentiality impact is limited to files within the recreated directory scope, and there is no integrity or availability impact. There is no evidence of lateral movement potential, but sensitive files placed in the affected path after directory recreation would be exposed without any authentication requirement (Security Advisory, GitHub Advisory).
Pasos de explotación
- Obtain authenticated access: Log in to a filebrowser instance (version ≤ 2.63.16) with an account that has share, download, and delete permissions.
- Create a shared directory: Create a directory (e.g.,
/a) and upload a file (e.g.,/a/old.txt). Create a public share for/a, noting the resulting public share hash (e.g., hashh). - Delete the directory with a trailing slash: Send an authenticated DELETE request to
/api/resources/a/(note the trailing slash). The filesystem directory is removed, but the share record for/aremains in the Bolt database becauseDeleteWithPathPrefix("/a/", userID)queries for prefix/a/and misses the exact/aentry. - Verify the stale share: Confirm the share hash
hstill exists in storage (the public URL is now dormant since the path no longer exists on disk). - Recreate the directory with new content: Create
/a/future.txt(or any new content) under the same path/a. - Access new content unauthenticated: Request the public share URL (e.g.,
/share/h/) without authentication and observe thatfuture.txtis listed and accessible, exposing the new directory contents through the old share link (Security Advisory).
Indicadores de compromiso
- Logs: Authenticated DELETE requests to API paths ending with a trailing slash (e.g.,
DELETE /api/resources/<dirname>/) followed shortly by directory recreation at the same path; access log entries showing unauthenticated GET requests to/share/<hash>/for shares associated with previously deleted directories. - File System: Presence of files in a directory that was previously deleted, where a public share for that path still exists in the Bolt database (
share.db). - Application State: Share records in the filebrowser Bolt database (
share.db) referencing paths that do not currently exist on disk — these represent dormant stale shares that may become active upon directory recreation (Security Advisory).
Mitigación y soluciones alternativas
Update filebrowser to version 2.63.17 or later, which normalizes paths before querying the share index in DeleteWithPathPrefix and adds regression tests for this scenario. As interim measures, administrators should audit all active public shares and revoke any that reference paths no longer intended to be shared, restrict share/delete permissions to only trusted users, and monitor for suspicious patterns of directory deletion followed by recreation at the same path. No configuration-only workaround is available that fully mitigates the flaw without upgrading (Security Advisory, GitHub Advisory).
Recursos adicionales
Fuente: Este informe se generó utilizando IA
Relacionado Wolfi Vulnerabilidades:
Evaluación gratuita de vulnerabilidades
Compare su postura de seguridad en la nube
Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.
Recursos adicionales de Wiz
Obtén una demostración personalizada
¿Listo para ver a Wiz en acción?
"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."