CVE-2026-27611 is a vulnerability in the FileBrowser Quantum software, a self-hosted, web-based file manager developed by gtsteffaniak. The issue exists in versions prior to 1.1.3-stable and between 1.2.0-beta and 1.2.6-beta, where password-protected file shares can be accessed without authentication. The root cause is that the API returns a direct download URL within the share details, which is accessible to anyone possessing the share link, bypassing the password protection mechanism entirely. This constitutes an exposure of sensitive information (CWE-200) and involves authentication bypass weaknesses (CWE-287 and CWE-288). The vulnerability allows an attacker with only the share link—no password or user authentication required—to download files directly, compromising confidentiality. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:P), and high impact on confidentiality (VC:H), with limited impact on integrity and availability. Although no known exploits have been reported in the wild, the flaw poses a significant risk to any organization using affected versions for sensitive file sharing. The issue was addressed in versions 1.1.3-stable and 1.2.6-beta by removing or securing the direct download link in the API response.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive files shared via FileBrowser Quantum. Attackers who obtain the share link can bypass password protection and download files directly, leading to potential data breaches involving confidential or proprietary information. This compromises confidentiality severely, while integrity and availability impacts are minimal. Organizations relying on FileBrowser for secure file sharing risk exposure of intellectual property, personal data, or regulated information, which could result in legal liabilities, reputational damage, and compliance violations. Since the vulnerability requires only possession of the share link and minimal user interaction, exploitation is relatively easy, increasing the threat level. The scope includes any organization using vulnerable versions of FileBrowser Quantum, especially those sharing sensitive data externally or internally. Although no active exploits are known, the vulnerability’s presence in widely used self-hosted file management software makes it a significant risk vector for data leakage.

Organizations should immediately upgrade FileBrowser Quantum to version 1.1.3-stable or 1.2.6-beta or later, where the vulnerability is fixed. Until upgrades are applied, administrators should avoid sharing password-protected files via the vulnerable versions or disable sharing features if possible. Review and audit existing shared links to identify and revoke any that may expose sensitive data. Implement network-level access controls to restrict access to the FileBrowser instance, such as VPNs or IP whitelisting, to reduce exposure. Monitor logs for unusual download activity or access patterns that could indicate exploitation attempts. Educate users about the risks of sharing links and encourage use of additional encryption or secure transfer methods. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized API access if immediate patching is not feasible. Regularly review and update security policies around file sharing and access control to prevent similar issues.