CVE-2026-32760Improper Privilege Management in Filebrowser

CWE-269Improper Privilege ManagementCWE-284Improper Access Control6 documents5 sources
Severity
10.0CRITICALNVD
EPSS
0.0%
top 95.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
FilebrowserGithub.com Filebrowser Filebrowser V2
Timeline
PublishedMar 20
Latest updateMar 26

Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, any unauthenticated visitor can register a full administrator account when self-registration (signup = true) is enabled and the default user permissions have perm.admin = true. The signup handler blindly applies all default settings (including Perm.Admin) to the new user without any server-side guard that strips admin from self-reg

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected Packages3 packages

CVEListV5filebrowser/filebrowser< 2.62.0

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
File Browser Signup Grants Admin When Default Permissions Include Admin in github.com/filebrowser/filebrowser2026-03-26
CVEList
File Browser Self Registration Grants Any User Admin Access When Default Permissions Include Admin2026-03-19
GHSA
File Browser Signup Grants Admin When Default Permissions Include Admin2026-03-16
OSV
File Browser Signup Grants Admin When Default Permissions Include Admin2026-03-16

🕵️Threat Intelligence

1
Wiz
CVE-2026-32760 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-32760 — Improper Privilege Management | cvebase