CVE-2026-30933 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information), CWE-306 (Missing Authentication for Critical Function), and CWE-602 (Client-Side Enforcement of Server-Side Security). It affects FileBrowser Quantum, a self-hosted, web-based file manager developed by gtsteffaniak. The vulnerability arises because password-protected shares continue to expose tokenized download URLs through the /public/api/share/info endpoint, even though these shares are intended to restrict access. This means that unauthorized actors can retrieve sensitive download URLs without any authentication or user interaction, potentially allowing them to download protected files. The issue is a partial fix failure of a previous vulnerability (CVE-2026-27611), indicating incomplete remediation. The affected versions include 1.1.3-stable, versions from 1.2.6-beta up to but not including 1.2.2-stable, and versions from 1.3.0-beta up to but not including 1.3.1-beta. The vulnerability has a CVSS v3.1 score of 7.5, reflecting its high severity due to network attack vector, low complexity, no privileges required, and no user interaction needed, with a high impact on confidentiality. The flaw does not affect integrity or availability. No public exploits have been reported yet, but the risk remains significant given the nature of exposed sensitive information. The vulnerability is resolved in versions 1.3.1-beta and 1.2.2-stable, where the tokenized download URLs are no longer exposed without proper authentication.

The primary impact of CVE-2026-30933 is the unauthorized disclosure of sensitive download URLs from password-protected shares in FileBrowser Quantum. This exposure can lead to unauthorized access and download of confidential files, potentially resulting in data breaches, intellectual property theft, or leakage of sensitive organizational information. Since the vulnerability requires no authentication or user interaction, attackers can exploit it remotely and at scale, increasing the risk of widespread data exposure. Organizations relying on FileBrowser Quantum for file management and sharing may face compliance violations, reputational damage, and operational risks if sensitive data is leaked. Although the vulnerability does not affect data integrity or system availability, the confidentiality breach alone is significant, especially for sectors handling sensitive or regulated data such as finance, healthcare, legal, and government. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future exploitation. The vulnerability's presence in multiple versions increases the scope of affected systems globally.

To mitigate CVE-2026-30933, organizations should immediately upgrade FileBrowser Quantum to versions 1.3.1-beta or 1.2.2-stable or later, where the vulnerability is fully patched. Until upgrades are applied, administrators should avoid using password-protected shares or restrict their use to trusted internal networks only. Implement network-level access controls such as IP whitelisting and VPNs to limit exposure of the FileBrowser instance to untrusted networks. Review and audit existing shares to identify any that might expose sensitive data and revoke or reconfigure them as necessary. Monitor access logs for unusual or unauthorized access attempts to the /public/api/share/info endpoint. Additionally, consider implementing web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting this endpoint. Educate users and administrators about the risks of sharing sensitive files via tokenized URLs and enforce strict policies on file sharing and access management. Finally, maintain an up-to-date inventory of FileBrowser deployments and ensure timely application of security patches.