CVE-2026-44542 - FileBrowser public share DELETE path traversal
FileBrowser’s public-share DELETE API joined attacker-controlled path input with a trusted base path before sanitization. An unauthenticated attacker who had a valid public share hash with delete permissions could traverse outside the shared directory and delete files elsewhere within the share owner’s configured storage scope.
The fix is not only a dependency update. Production remediation should identify where public shares allow delete operations, disable that capability during rollout when possible, rebuild FileBrowser artifacts, and verify that canonical path checks happen before destructive file operations.
When to use it
Use this recipe when a repository, appliance image, or hosted file-sharing service runs FileBrowser public shares with delete permissions. It is designed for source-code remediation, canonical path enforcement, public-share risk review, and audit evidence that unauthenticated share users cannot delete outside the shared directory.
Inputs
- FileBrowser version/commit, public share settings, delete permission policy, storage root, reverse proxy exposure, and deployment owner.
- Source paths that join public-share paths, sanitize/canonicalize paths, authorize delete operations, and log destructive file actions.
- Regression fixtures for
..traversal, symlinks, absolute paths, encoded separators, valid in-share deletes, and denied out-of-share deletes. - Evidence of public shares with delete enabled, storage scope, affected files, backups, audit logs, and temporary mitigation owner.
Affected versions
| Package | Vulnerable versions | Fixed versions |
|---|---|---|
github.com/gtsteffaniak/filebrowser |
<0.0.0-20260501183844-112740bdd41d |
0.0.0-20260501183844-112740bdd41d |
Indicator-of-exposure
- The repository builds, vendors, embeds, deploys, or configures FileBrowser
from
github.com/gtsteffaniak/filebrowser. - Public shares are enabled.
- Any public share permits delete/write operations.
- FileBrowser storage roots include sensitive mounted directories, shared volumes, user home directories, build artifacts, backups, or tenant files.
- Reverse proxy, ingress, or application logs show public-share DELETE traffic.
Quick checks:
rg -n "gtsteffaniak/filebrowser|filebrowser|public share|public_share|share.*delete|DELETE|allow.*delete|rules|storage" .
go list -m all | rg 'github.com/(gtsteffaniak|filebrowser)/filebrowser'
rg -n "filebrowser.*stable|filebrowser.*latest|public.*share|delete.*permission" Dockerfile* docker-compose*.yml charts deploy k8s .
Remediation strategy
- Upgrade FileBrowser to
0.0.0-20260501183844-112740bdd41dor a later release that contains the same fix. - Regenerate Go module state, vendor trees, images, SBOMs, and deployment manifests.
- Disable public-share delete permissions until patched deployments are live.
- Add policy or tests proving DELETE paths are canonicalized and constrained to the intended shared root before any file deletion.
- Review logs for public-share DELETE requests during the vulnerable window and confirm whether file restoration is needed.
The prompt
You are remediating CVE-2026-44542 (FileBrowser public-share DELETE path
traversal). Produce exactly one output:
- A reviewer-ready PR/change request that upgrades FileBrowser, disables or
contains public-share delete risk during rollout, adds path-boundary tests,
refreshes generated artifacts, and documents operator checks, or
- TRIAGE.md if this repository does not own an affected FileBrowser deployment
or cannot make a safe patch.
## Rules
- Scope only CVE-2026-44542 and directly related public-share DELETE handling.
- Do not run destructive DELETE probes against production, shared staging, real
user directories, backups, or customer content.
- Do not print, commit, or attach file listings containing customer names,
tenant paths, private documents, backup names, credentials, or share hashes.
- Do not preserve public unauthenticated delete access on a vulnerable build.
- Do not auto-merge.
## Steps
1. Inventory every FileBrowser reference controlled by this repository:
Go modules, vendor trees, Dockerfiles, compose files, Helm charts,
Kubernetes manifests, Terraform, Ansible, reverse proxy config, seeded
settings, public-share templates, images, SBOMs, and runbooks.
2. Determine each resolved FileBrowser version or commit. A target is
vulnerable if it resolves before `0.0.0-20260501183844-112740bdd41d`.
3. Determine whether public shares are enabled and whether any public share can
delete files. Search config, seed data, examples, tests, UI defaults, and
operator runbooks.
4. Identify storage roots reachable by public shares and classify blast radius:
tenant files, user home directories, build artifacts, backups, generated
reports, source checkouts, or shared volumes.
5. Upgrade FileBrowser to `0.0.0-20260501183844-112740bdd41d` or a later fixed
release. Regenerate `go.mod`, `go.sum`, vendor trees, image metadata, SBOMs,
deployment render output, and dependency reports.
6. Add containment controlled by this repository:
- disable public-share delete permissions during rollout;
- remove public delete from seeded share templates;
- block public-share DELETE at gateway or WAF until patched;
- fail closed when the share root cannot be canonicalized.
7. Add safe tests using temporary directories that prove:
- traversal segments cannot escape the shared root;
- encoded traversal variants cannot escape the shared root;
- DELETE of a file inside the share still works only when permission allows;
- unauthenticated public shares without delete permission receive denial.
8. Add a PR body section named `CVE-2026-44542 operator actions` that states:
- FileBrowser versions or commits before and after;
- whether public-share delete was enabled;
- which storage roots are in scope;
- gateway or config containment applied;
- logs to review for public-share DELETE requests;
- restoration checks needed if suspicious deletion attempts are found.
9. Run relevant validation: Go tests, path-boundary tests, config render tests,
container build, deployment diff, SBOM refresh, and dependency/security
scans available in this repository.
10. Use PR title:
`fix(sec): remediate CVE-2026-44542 in FileBrowser shares`.
## Stop conditions
- No affected FileBrowser deployment, module, image, or generated artifact is
controlled by this repository.
- Public share behavior is managed exclusively outside the repo; document the
owner and required version or containment.
- Safe verification would require deleting real user, tenant, backup, or
production files.
- A fixed version cannot be consumed and this repo cannot disable public-share
delete or block the route.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Output contract
- A reviewer-ready PR or change request that upgrades or patches FileBrowser, disables public-share deletes during rollout where possible, enforces canonical path containment, adds traversal tests, and documents cleanup.
- Or a
TRIAGE.mdfile that lists inspected files, owner, observed version, public-share exposure, delete boundary, required fix, and residual risk. - The output must include exact validation commands and must not delete real user files, expose share hashes, or test against production storage.
Verification - what the reviewer looks for
- No controlled module, image, vendor tree, SBOM, or deployment artifact resolves a vulnerable FileBrowser build.
- Public-share delete is disabled or gateway-contained during rollout when patch deployment is not atomic.
- Path-boundary tests use temporary fixtures and prove traversal stays inside the share root.
- Operator actions cover log review and restoration checks without exposing private file paths or deleting evidence.
- Generated artifacts are refreshed.
Watch for
- Images that use
stableorlatesttags without proving the fixed commit. - Seeded public shares or examples that grant delete permission by default.
- Path checks that use string prefixes instead of canonical path comparison.
- Tests that delete real repository files instead of temporary fixtures.
Related recipes
- Source code attack surface map
- Source code authz tenant boundary audit
- Source code secrets and data exposure audit
- NIST SSDF repository evidence check
References
- GitHub Advisory: https://github.com/advisories/GHSA-fwj3-42wh-8673
- FileBrowser advisory: https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-fwj3-42wh-8673
- GitLab Advisory Database: https://advisories.gitlab.com/golang/github.com/gtsteffaniak/filebrowser/CVE-2026-44542/
- NVD CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-44542