Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-35605

File Browser has an access rule bypass via HasPrefix without trailing separator in path matching
Back to all
CVE

CVE-2026-35605

File Browser has an access rule bypass via HasPrefix without trailing separator in path matching

Hi,

The Matches() function in rules/rules.go uses strings.HasPrefix() without a trailing directory separator when matching paths against access rules. A rule for /uploads also matches /uploads_backup/, granting or denying access to unintended directories. Verified against v2.62.2 (commit 860c19d).

Details

At rules/rules.go:29-35:

    func (r *Rule) Matches(path string) bool {

        if r.Regex {

            return r.Regexp.MatchString(path)

        }

        return strings.HasPrefix(path, r.Path)

    }

When a rule has Path: "/uploads", any path starting with /uploads matches, including /uploads_backup/secret.txt. The regex variant at line 31 uses proper matching, but the non-regex path uses a prefix check without ensuring the match ends at a directory boundary.

The Check() function at http/data.go:29-48 iterates all rules with last-match-wins semantics. No secondary validation exists beyond this prefix check.

PoC

Admin configures: allow rule Path: "/shared" for a restricted user.

Filesystem contains:

  • /shared/ (intended to be accessible)
  • /shared_private/ (intended to be restricted)

User requests /shared_private/secret.txt:

  • strings.HasPrefix("/shared_private/secret.txt", "/shared") returns true
  • Allow rule applies
  • Access granted to the unintended directory

Impact

Authenticated users can access files in sibling directories that share a common prefix with an allowed directory, bypassing the admin's intended access configuration.

Prior art

Prior advisories GHSA-4mh3-h929-w968 (path-based access control bypass) and GHSA-9f3r-2vgw-m8xp (path traversal in copy/rename) addressed related access control issues. This HasPrefix prefix-collision is a distinct, unreported variant.

Suggested Fix

    func (r *Rule) Matches(path string) bool {

        if r.Regex {

            return r.Regexp.MatchString(path)

        }

        prefix := r.Path

        if prefix != "/" && !strings.HasSuffix(prefix, "/") {

            prefix += "/"

        }

        return path == r.Path || strings.HasPrefix(path, prefix)

    }

Koda Reef

---

Update: Fix submitted as PR #5889.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
6.3
-
4.0
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-

Related Resources

No items found.

References

https://github.com/filebrowser/filebrowser/security/advisories/GHSA-5q48-q4fm-g3m6, https://nvd.nist.gov/vuln/detail/CVE-2026-35605, https://github.com/filebrowser/filebrowser/pull/5889, https://github.com/filebrowser/filebrowser

Severity

7.5

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.5
EPSS Probability
0.00029%
EPSS Percentile
0.08754%
Introduced Version
0
Fix Available
2.63.1

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading