CVE-2026-54097 in File Browser
Summary
by MITRE • 06/25/2026
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, a low-privileged authenticated user of filebrowser (with create + delete permissions in their own isolated scope) can silently destroy share-link records belonging to any other user — including the administrator — by performing a legitimate DELETE on a file in their own directory whose logical path happens to be a byte-prefix of another user's stored share.Link.Path. The file contents of the victim are not exposed, but the victim's share links are irrevocably wiped. This vulnerability is fixed in 2.63.6.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/26/2026
This vulnerability represents a critical access control flaw in File Browser software that allows low-privileged users to perform unauthorized destructive actions against shared resources belonging to other users including administrators. The issue stems from inadequate path validation and scope enforcement within the application's file management system, specifically affecting versions prior to 2.63.6. The vulnerability operates through a prefix matching mechanism where an authenticated user with basic create and delete permissions in their own directory can exploit the system by targeting files whose paths serve as byte prefixes for other users' share link records.
The technical execution of this vulnerability relies on the application's failure to properly validate whether a requested deletion operation targets resources outside the user's designated scope. When a malicious user performs a legitimate DELETE operation on a file within their own directory, the system incorrectly processes the request and removes share link records from other users' accounts. This occurs because the application does not adequately distinguish between the user's own files and shared links that happen to have path relationships with the targeted file. The flaw essentially allows privilege escalation through path manipulation, where the attacker can leverage their legitimate directory access to destroy resources belonging to other users without proper authorization.
The operational impact of this vulnerability is severe as it enables persistent data destruction attacks against shared resources including administrative accounts. While the victim's actual file contents remain protected from exposure, the complete removal of share links represents a significant loss of functionality and potential data accessibility issues for affected users. The vulnerability affects the integrity and availability aspects of the system's security model, as it undermines the principle of least privilege by allowing unauthorized destruction of shared resources. This type of attack could be particularly damaging in environments where administrators rely on share links for collaboration or file distribution purposes.
The vulnerability maps to CWE-284 Access Control Issues, specifically addressing inadequate access control enforcement when processing file operations. It also relates to ATT&CK technique T1078 Valid Accounts, as it leverages legitimate user credentials and permissions to execute unauthorized destructive actions. Additionally, this represents a path traversal or directory traversal vulnerability that allows lateral movement through the application's permission model. Organizations should implement immediate mitigations including upgrading to version 2.63.6, which contains proper path validation and scope enforcement mechanisms. System administrators should also consider implementing additional monitoring for suspicious deletion patterns and review user permissions to ensure appropriate isolation between user accounts, particularly regarding shared resource access and modification capabilities.
This vulnerability demonstrates the critical importance of proper input validation and scope enforcement in web applications that handle file operations and shared resources. The flaw highlights how seemingly innocuous path relationships can create significant security implications when not properly validated. Organizations using File Browser should conduct thorough security assessments to identify potential similar vulnerabilities in their application environments, particularly focusing on directory traversal scenarios and access control boundaries. The fix implemented in version 2.63.6 addresses the core issue by ensuring proper validation of deletion operations against user scope boundaries and implementing more robust path checking mechanisms to prevent unauthorized resource destruction.