CVE-2026-62683 in File Browserinfo

Summary

by MITRE • 07/15/2026

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser can leave a public directory share behind when the shared directory is deleted through a path with a trailing slash because the share cleanup path calls DeleteWithPathPrefix(file.Path, userID) and the Bolt backend performs the database prefix query with the unnormalized path before trimming the slash for boundary checks, so deleting /a/ does not delete the stored /a share and the stale public share exposes future content if the same path is recreated. This issue is fixed in version 2.63.17.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

This vulnerability affects File Browser versions prior to 2.63.17 and represents a critical access control flaw that stems from improper path handling during directory share cleanup operations. The issue manifests when users delete shared directories through paths containing trailing slashes, creating persistent public shares that remain accessible even after the original directory has been removed from the system. The vulnerability specifically arises from a mismatch between how the application processes file paths during deletion operations and how the underlying Bolt database backend handles prefix-based queries.

The technical root cause lies in the path normalization inconsistency within the delete operation flow. When a user attempts to delete a directory through a path with a trailing slash such as "/a/", the system calls DeleteWithPathPrefix(file.Path, userID) function which passes the unnormalized path to the Bolt backend. The Bolt database performs its prefix query using this raw path without first normalizing it by removing the trailing slash, while boundary checks for deletion operations are performed after the slash has been trimmed. This fundamental inconsistency means that when deleting "/a/", the system fails to match and remove the stored share entry that was originally created with the normalized path "/a", leaving behind a stale public share that continues to expose content.

This flaw creates a significant security risk as it allows unauthorized users to access files and directories that should have been removed through the deletion process. The persistent public share effectively provides a backdoor mechanism where deleted content remains accessible, particularly dangerous when the same directory path is recreated by an attacker or legitimate user. The vulnerability enables information disclosure and potential privilege escalation scenarios where attackers can gain access to previously deleted content without proper authentication or authorization.

The impact of this vulnerability extends beyond simple data exposure, as it represents a failure in the application's access control mechanisms and data lifecycle management. This issue directly relates to CWE-284 Access Control Issues and specifically manifests as improper access control due to inconsistent path handling during deletion operations. The flaw also aligns with ATT&CK technique T1078 Valid Accounts, as it enables unauthorized access through legitimate account usage patterns where deleted shares continue to function despite administrative removal.

The mitigation for this vulnerability requires updating File Browser installations to version 2.63.17 or later, which implements proper path normalization before performing database operations. Organizations should also conduct thorough audits of existing shared directories to identify and remove any stale public shares that may have been created through this vulnerability. Additionally, system administrators should implement monitoring for unusual deletion patterns and ensure that all directory management operations properly normalize paths before database interactions. The fix addresses the core issue by ensuring consistent path handling throughout the delete operation lifecycle, preventing the creation of orphaned share entries that could be exploited to maintain access to deleted content.

Responsible

GitHub M

Reservation

07/14/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!