CVE-2026-29188Improper Access Control in Filebrowser

CWE-284Improper Access ControlCWE-732Incorrect Permission Assignment6 documents5 sources
Severity
8.1HIGHNVD
CNA9.1
EPSS
0.0%
top 93.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
FilebrowserGithub.com Filebrowser Filebrowser V2
Timeline
PublishedMar 5
Latest updateMar 10

Description

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion fo

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages3 packages

CVEListV5filebrowser/filebrowser< 2.61.1

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
File Browser's TUS Delete Endpoint Bypasses Delete Permission Check in github.com/filebrowser/filebrowser2026-03-10
CVEList
File Browser: TUS Delete Endpoint Bypasses Delete Permission Check2026-03-05
GHSA
File Browser's TUS Delete Endpoint Bypasses Delete Permission Check2026-03-04
OSV
File Browser's TUS Delete Endpoint Bypasses Delete Permission Check2026-03-04

🕵️Threat Intelligence

1
Wiz
CVE-2026-29188 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-29188 — Improper Access Control in Filebrowser | cvebase