Intelligence
highVulnerabilityActive

Path Traversal in FileBrowser Public Share PATCH Handler via Unsafe Path Join

FileBrowser's public PATCH endpoint joins user-controlled paths with the share root before sanitization, allowing traversal outside the intended directory. Public shares with modification enabled are immediately exploitable.

S
Sebastion

Affected

FileBrowser/FileBrowser (commit 869b640 and prior)

Vulnerability Description

The vulnerability is a classic path traversal via unsafe path join (CWE-22). The root cause is the order of operations: publicPatchHandler in backend/http/public.go concatenates user-supplied fromPath and toPath parameters with a trusted share directory using filepath.Join() BEFORE those paths reach the downstream sanitization logic in resourcePatchHandler. Since filepath.Join() normalizes .. segments during concatenation, the resulting path appears legitimate to the sanitizer, which never detects or rejects the traversal attempt. This allows an attacker to move, copy, or rename files outside the intended shared directory boundary.

PoC Significance

This disclosure is particularly significant because it represents a regression—the identical vulnerability was previously patched for the bulk DELETE endpoint (CVE-2026-44542), but the PATCH handler was not updated with the same fix. This suggests:

  • The codebase has multiple endpoints with similar patterns that may share the same flaw
  • The fix for CVE-2026-44542 was not consistently applied across all file-operation handlers
  • Public shares with AllowModify=true (a legitimate use case for collaborative scenarios) enable immediate exploitation without authentication

The verified reproduction on a current commit indicates this is not a theoretical issue.

Detection Guidance

Defenders should monitor for:

  • HTTP Logs: POST/PATCH requests to public share endpoints (/api/public/*) containing JSON bodies with items[].fromPath or items[].toPath parameters containing .. or absolute paths
  • File System Auditing: Track move/copy/rename operations originating from the FileBrowser process that target paths outside the configured share root directory
  • Application Logs: Look for resourcePatchHandler invocations where the processed paths differ significantly from the user-supplied input (indicating path normalization)
  • Configuration Review: Enumerate all public shares and identify those with AllowModify=true; these are immediate attack surface

Mitigation Steps

  1. Immediate: Disable AllowModify on public share links until patching is complete
  2. Short-term: Apply the defensive fix from CVE-2026-44542 to the PATCH handler: sanitize paths BEFORE joining with the share root, not after
  3. Patch: Update to a patched FileBrowser version once available (check GitHub releases)
  4. Code Review: Audit all file-operation endpoints (DELETE, PUT, POST, PATCH) for similar path-join ordering issues
  5. Configuration: Restrict the share owner's source root to a narrow, dedicated directory to limit the blast radius of traversal attacks

Risk Assessment

Likelihood of wild exploitation: High. Public share links are often shared widely, and the exploit requires only a valid public link with a permissive permission setting. No authentication is needed. The vulnerability is deterministic and reliable.

Threat actor interest: High. Arbitrary file movement/rename/copy within a user's source root enables:

  • Exfiltration by moving sensitive files to a publicly accessible share
  • Denial of service by corrupting directory structures
  • Supply chain attacks if the share root contains source code or configuration

Organizational risk: Organizations using FileBrowser for collaborative file sharing (especially with external partners) should treat this as critical if any public share has modification enabled.

Sources

pocpath-traversalauthorization-bypassfile-operationspublic-sharedirectory-escape
Back to intelligence