CVE-2026-44542 - FileBrowser public share DELETE path traversal

FileBrowser’s public-share DELETE API joined attacker-controlled path input with a trusted base path before sanitization. An unauthenticated attacker who had a valid public share hash with delete permissions could traverse outside the shared directory and delete files elsewhere within the share owner’s configured storage scope.

The fix is not only a dependency update. Production remediation should identify where public shares allow delete operations, disable that capability during rollout when possible, rebuild FileBrowser artifacts, and verify that canonical path checks happen before destructive file operations.

When to use it

Use this recipe when a repository, appliance image, or hosted file-sharing service runs FileBrowser public shares with delete permissions. It is designed for source-code remediation, canonical path enforcement, public-share risk review, and audit evidence that unauthenticated share users cannot delete outside the shared directory.

Inputs

  • FileBrowser version/commit, public share settings, delete permission policy, storage root, reverse proxy exposure, and deployment owner.
  • Source paths that join public-share paths, sanitize/canonicalize paths, authorize delete operations, and log destructive file actions.
  • Regression fixtures for .. traversal, symlinks, absolute paths, encoded separators, valid in-share deletes, and denied out-of-share deletes.
  • Evidence of public shares with delete enabled, storage scope, affected files, backups, audit logs, and temporary mitigation owner.

Affected versions

Package Vulnerable versions Fixed versions
github.com/gtsteffaniak/filebrowser <0.0.0-20260501183844-112740bdd41d 0.0.0-20260501183844-112740bdd41d

Indicator-of-exposure

  • The repository builds, vendors, embeds, deploys, or configures FileBrowser from github.com/gtsteffaniak/filebrowser.
  • Public shares are enabled.
  • Any public share permits delete/write operations.
  • FileBrowser storage roots include sensitive mounted directories, shared volumes, user home directories, build artifacts, backups, or tenant files.
  • Reverse proxy, ingress, or application logs show public-share DELETE traffic.

Quick checks:

rg -n "gtsteffaniak/filebrowser|filebrowser|public share|public_share|share.*delete|DELETE|allow.*delete|rules|storage" .
go list -m all | rg 'github.com/(gtsteffaniak|filebrowser)/filebrowser'
rg -n "filebrowser.*stable|filebrowser.*latest|public.*share|delete.*permission" Dockerfile* docker-compose*.yml charts deploy k8s .

Remediation strategy

  • Upgrade FileBrowser to 0.0.0-20260501183844-112740bdd41d or a later release that contains the same fix.
  • Regenerate Go module state, vendor trees, images, SBOMs, and deployment manifests.
  • Disable public-share delete permissions until patched deployments are live.
  • Add policy or tests proving DELETE paths are canonicalized and constrained to the intended shared root before any file deletion.
  • Review logs for public-share DELETE requests during the vulnerable window and confirm whether file restoration is needed.

The prompt

You are remediating CVE-2026-44542 (FileBrowser public-share DELETE path
traversal). Produce exactly one output:

- A reviewer-ready PR/change request that upgrades FileBrowser, disables or
  contains public-share delete risk during rollout, adds path-boundary tests,
  refreshes generated artifacts, and documents operator checks, or
- TRIAGE.md if this repository does not own an affected FileBrowser deployment
  or cannot make a safe patch.

## Rules

- Scope only CVE-2026-44542 and directly related public-share DELETE handling.
- Do not run destructive DELETE probes against production, shared staging, real
  user directories, backups, or customer content.
- Do not print, commit, or attach file listings containing customer names,
  tenant paths, private documents, backup names, credentials, or share hashes.
- Do not preserve public unauthenticated delete access on a vulnerable build.
- Do not auto-merge.

## Steps

1. Inventory every FileBrowser reference controlled by this repository:
   Go modules, vendor trees, Dockerfiles, compose files, Helm charts,
   Kubernetes manifests, Terraform, Ansible, reverse proxy config, seeded
   settings, public-share templates, images, SBOMs, and runbooks.
2. Determine each resolved FileBrowser version or commit. A target is
   vulnerable if it resolves before `0.0.0-20260501183844-112740bdd41d`.
3. Determine whether public shares are enabled and whether any public share can
   delete files. Search config, seed data, examples, tests, UI defaults, and
   operator runbooks.
4. Identify storage roots reachable by public shares and classify blast radius:
   tenant files, user home directories, build artifacts, backups, generated
   reports, source checkouts, or shared volumes.
5. Upgrade FileBrowser to `0.0.0-20260501183844-112740bdd41d` or a later fixed
   release. Regenerate `go.mod`, `go.sum`, vendor trees, image metadata, SBOMs,
   deployment render output, and dependency reports.
6. Add containment controlled by this repository:
   - disable public-share delete permissions during rollout;
   - remove public delete from seeded share templates;
   - block public-share DELETE at gateway or WAF until patched;
   - fail closed when the share root cannot be canonicalized.
7. Add safe tests using temporary directories that prove:
   - traversal segments cannot escape the shared root;
   - encoded traversal variants cannot escape the shared root;
   - DELETE of a file inside the share still works only when permission allows;
   - unauthenticated public shares without delete permission receive denial.
8. Add a PR body section named `CVE-2026-44542 operator actions` that states:
   - FileBrowser versions or commits before and after;
   - whether public-share delete was enabled;
   - which storage roots are in scope;
   - gateway or config containment applied;
   - logs to review for public-share DELETE requests;
   - restoration checks needed if suspicious deletion attempts are found.
9. Run relevant validation: Go tests, path-boundary tests, config render tests,
   container build, deployment diff, SBOM refresh, and dependency/security
   scans available in this repository.
10. Use PR title:
    `fix(sec): remediate CVE-2026-44542 in FileBrowser shares`.

## Stop conditions

- No affected FileBrowser deployment, module, image, or generated artifact is
  controlled by this repository.
- Public share behavior is managed exclusively outside the repo; document the
  owner and required version or containment.
- Safe verification would require deleting real user, tenant, backup, or
  production files.
- A fixed version cannot be consumed and this repo cannot disable public-share
  delete or block the route.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Output contract

  • A reviewer-ready PR or change request that upgrades or patches FileBrowser, disables public-share deletes during rollout where possible, enforces canonical path containment, adds traversal tests, and documents cleanup.
  • Or a TRIAGE.md file that lists inspected files, owner, observed version, public-share exposure, delete boundary, required fix, and residual risk.
  • The output must include exact validation commands and must not delete real user files, expose share hashes, or test against production storage.

Verification - what the reviewer looks for

  • No controlled module, image, vendor tree, SBOM, or deployment artifact resolves a vulnerable FileBrowser build.
  • Public-share delete is disabled or gateway-contained during rollout when patch deployment is not atomic.
  • Path-boundary tests use temporary fixtures and prove traversal stays inside the share root.
  • Operator actions cover log review and restoration checks without exposing private file paths or deleting evidence.
  • Generated artifacts are refreshed.

Watch for

  • Images that use stable or latest tags without proving the fixed commit.
  • Seeded public shares or examples that grant delete permission by default.
  • Path checks that use string prefixes instead of canonical path comparison.
  • Tests that delete real repository files instead of temporary fixtures.

References