CVE-2026-61874 in filebrowserinfo

Summary

by MITRE • 07/12/2026

filebrowser versions before 2.63.17 fail to normalize paths before querying the share index in DeleteWithPathPrefix, allowing authenticated users to leave stale public shares behind. Attackers can delete a shared directory using a trailing-slash path, then recreate the same directory to expose new contents through the dormant public share URL.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/12/2026

This vulnerability exists in filebrowser versions prior to 26317 where the DeleteWithPathPrefix function fails to properly normalize paths before querying the share index. The issue stems from inadequate input validation and path handling within the application's sharing mechanism, creating a persistent security flaw that allows authenticated users to manipulate public share states. When users delete directories through paths containing trailing slashes, the system does not correctly normalize these paths during index queries, resulting in stale share entries remaining in the system even after directory deletion.

The technical implementation flaw manifests in how filebrowser processes path normalization within its sharing subsystem. When a user performs a delete operation with a trailing-slash path, the system maintains references to the deleted share in its internal index without properly clearing these entries. This path normalization failure creates a condition where the share index retains stale references while the actual filesystem directory has been removed. The vulnerability operates at the intersection of path manipulation and access control enforcement, allowing attackers to exploit this gap in state management.

The operational impact of this vulnerability extends beyond simple data exposure, creating persistent backdoors through public shares that remain functional even after underlying directories have been deleted. An attacker can leverage this flaw by first deleting a shared directory using a trailing-slash path, causing the system to leave stale entries in the share index. Subsequently, when recreating the same directory structure, the dormant public share URL continues to function and exposes newly created content through the previously established share link. This represents a significant compromise of the application's access control model and data isolation guarantees.

This vulnerability aligns with CWE-200 Information Exposure and CWE-798 Use of Hard-coded Credentials in its exploitation patterns, though it more specifically relates to improper input handling and state management issues within access control systems. The flaw demonstrates characteristics consistent with ATT&CK technique T1566 Credential Stuffing and T1078 Valid Accounts, as authenticated users can leverage their legitimate access rights to manipulate the system's share state. The attack requires only basic authentication privileges and understanding of path manipulation techniques, making it particularly dangerous in environments where filebrowser is used for shared document management.

Mitigation strategies should focus on implementing comprehensive path normalization across all share index operations, ensuring that trailing slashes and other path variations are consistently handled during delete and create operations. System administrators should immediately upgrade to filebrowser version 26317 or later where this vulnerability has been patched. Additionally, organizations should implement monitoring for unusual share creation and deletion patterns, as well as regular audits of public share states to identify and remove stale entries. The fix requires modifications to the DeleteWithPathPrefix function to enforce strict path normalization before index queries, ensuring that all path variations resolve to consistent internal representations.

Responsible

VulnCheck

Reservation

07/10/2026

Disclosure

07/12/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!