CRITICAL🇵🇱 Wersja polska

CVE-2026-32760

CVSS 10.0v4.0pub. 2026-03-20upd. 2026-03-23

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, any unauthenticated visitor can register a full administrator account when self-registration (signup = true) is enabled and the default user permissions have perm.admin = true. The signup handler blindly applies all default settings (including Perm.Admin) to the new user without any server-side guard that strips admin from self-registered accounts. The signupHandler is supposed to create unprivileged accounts for new visitors. It contains no explicit user.Perm.Admin = false reset after applying defaults. If an administrator (intentionally or accidentally) configures defaults.perm.admin = true and also enables signup, every account created via the public registration endpoint is an administrator with full control over all files, users, and server settings. This issue has been resolved in version 2.62.0.

🤖 AI Analysis
How it works

The registration handling procedure (signupHandler) copies all default system settings to the newly created account without any server-side verification that would remove the administrator flag from accounts created through the public endpoint. There is a missing explicit reset of the user.Perm.Admin = false field after applying the default configuration. If an administrator — intentionally or by mistake — sets defaults.perm.admin = true and simultaneously enables the signup feature, every account created through the public registration form automatically receives administrator privileges. An attacker does not need to possess any existing credentials or perform any additional steps.

Impact

An attacker gains full control over the File Browser application, including access to all files, the ability to manage other users' accounts, and modification of server settings. As a result, it is possible to read, delete, or overwrite any files stored in the managed directory.

Mitigation & patch

Update File Browser to version 2.62.0, in which the issue has been resolved. Until the update, immediately disable the self-registration option (signup = false) or ensure that the default user permissions do not include the perm.admin = true flag.

Who is affected

File Browser in versions 2.61.2 and earlier, with configuration having self-registration enabled (signup = true) and default setting perm.admin = true

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Filebrowser

    APP
    Filebrowser
    < 2.62.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-29188CRITICAL9.1PL ✓ten sam produkt

Broken Access Control w File Browser — usuwanie plików bez uprawnień

CVE-2023-39612CRITICAL9.0ten sam produkt

A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to e...

CVE-2026-35604HIGH8.2ten sam produkt

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files wit...

CVE-2026-35585HIGH7.5ten sam produkt

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files wit...

CVE-2026-35607HIGH8.1ten sam produkt

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files wit...