Technologyglobal✓ verified · 90%

File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix

Name: File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix
Start: 2026-06-12T21:00:55Z
Location: Global (internet)

When: 2026-06-12 21:00 UTC
Where: Global (internet)
Category: cyber_advisory · go

### Summary A low-privileged authenticated user of filebrowser (with `create` + `delete` permissions in their own isolated scope) can silently destroy share-link records belonging to any other user — including the administrator — by performing a legitimate DELETE on a file in their own directory whose logical path happens to be a byte-prefix of another user's stored `share.Link.Path`. The file contents of the victim are not exposed, but the victim's share links are irrevocably wiped. ### Details `resourceDeleteHandler` in `http/resource.go` cleans up any share records that reference a deleted file by calling: ```go // http/resource.go err = d.store.Share.DeleteWithPathPrefix(file.Path) ``` `file.Path` here is the *logical* path from the URL of the deleting user's request (e.g. `/a`), not the absolute filesystem path. It is passed as-is to the bolt backend: ```go // storage/bolt/share.go func (s shareBackend) DeleteWithPathPrefix(pathPrefix string) error { var links []share.Link if err := s.db.Prefix("Path", pathPrefix, &links); err != nil { return err } for _, link := range links { err = errors.Join(err, s.db.DeleteStruct(&share.Link{Hash: link.Hash})) } return err } ``` **Why the design contradicts this behavior.** `share.Link` carries a `UserID` field and the application elsewhere treats shares as per-user owned resources. `shareDeleteHandler` explicitly enforces `link.UserID != d.user.ID && !d.user.Perm.Admin → 403`. The file-deletion side-effect path is the only location that bypasses this rule. ### Impact - Integrity: unauthorized deletion of share-link metadata belonging to arbitrary users, including administrators. - Availability: effective denial-of-service of the share-link feature — a cooperating (or malicious) low-priv user can wipe the bulk of existing share links by iterating a short set of one- and two-character prefixes.

Involved actors & entities

People, organizations and places machine-extracted from the source reporting — they power search and the correlation graph. Extracted automatically, so they can include noise, especially on events still marked unverified.

go/github.com/filebrowser/filebrowser
go/github.com/filebrowser/filebrowser/v2
GHSA-5ww9-jg6q-38r7
CVE-2026-54097

Sources

GitHub Advisory Database ↗ · first seen 2026-06-12 21:00 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

No correlated events found in the current window. As more events arrive, connections form automatically.

← Back to the live map