In-Depth Analysis of CVE-2026-54091: File Browser Incorrect Access Control for Public Directory Shares

Overview

CVE-2026-54091 is a vulnerability in File Browser's public share handlers. The issue arises from the incorrect access control for public directory shares via rule path rebasing. When a share owner creates a public share for a directory, an attacker who knows the share URL can access files and subdirectories that the owner intended to block using File Browser rules.

Technical Details

The public share flow in File Browser first resolves the original shared path under the owner's filesystem. However, it then switches to a new `BasePathFs` rooted at the shared directory. The subsequent authorization check is performed by `d.Check`, which compares the request path to rule strings using prefix matching. The problem lies in the fact that when the share target is a directory, the path passed to `d.Check` becomes relative to the shared directory, while the rules remain relative to the owner's original scope. This means that a deny rule such as `/projects/private` no longer matches a public share request for `/private/secret.txt`, even though the rebased filesystem resolves that request to the real path `/projects/private/secret.txt`. The vulnerable code path is located in `http/public.go` and involves the following lines: ```go if file.IsDir { basePath = filepath.Clean(link.Path) filePath = ifPath } d.user.Fs = afero.NewBasePathFs(d.user.Fs, basePath) file, err = files.NewFileInfo(&files.FileOptions{ Fs: d.user.Fs, Path: filePath, Expand: true, Checker: d, }) ``` The `d.Check` function is defined in `http/data.go` and `rules/rules.go`: ```go func (d *data) Check(path string) bool { allow := true for _, rule := range d.settings.Rules { if rule.Matches(path) { allow = rule.Allow } } for _, rule := range d.user.Rules { if rule.Matches(path) { allow = rule.Allow } } return allow } func (r *Rule) Matches(path string) bool { if path == r.Path { return true } prefix := r.Path if prefix != "/" && !strings.HasSuffix(prefix, "/") { prefix += "/" } return strings.HasPrefix(path, prefix) } ```

Impact Analysis

This vulnerability has a significant impact on the security of File Browser's public share feature. An attacker who knows a public directory share URL can access files and subdirectories that the owner explicitly blocked with rules. This can lead to unauthenticated information disclosure through public share endpoints, such as `GET /api/public/share/*` and `GET /api/public/dl/*`. In practical deployments, this can disclose secrets, configuration files, backup material, private project directories, or any other content that administrators or users attempted to hide beneath a shared parent directory using the built-in rule system.

Mitigation

To mitigate this vulnerability, it is essential to update File Browser to correctly evaluate descendant paths against the owner's global and per-user rules using the original path relative to the owner's scope, rather than the rebased relative path. Additionally, users should be cautious when sharing directories publicly and ensure that sensitive information is not stored in shared directories or subdirectories. It is also recommended to implement additional security measures, such as authentication and authorization checks, to protect sensitive data and prevent unauthorized access.