CVE-2026-32760
published 2026-03-20CVE-2026-32760: File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.68%
47.6th percentile
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, any unauthenticated visitor can register a full administrator account when self-registration (signup = true) is enabled and the default user permissions have perm.admin = true. The signup handler blindly applies all default settings (including Perm.Admin) to the new user without any server-side guard that strips admin from self-registered accounts. The signupHandler is supposed to create unprivileged accounts for new visitors. It contains no explicit user.Perm.Admin = false reset after applying defaults. If an administrator (intentionally or accidentally) configures defaults.perm.admin = true and also enables signup, every account created via the public registration endpoint is an administrator with full control over all files, users, and server settings. This issue has been resolved in version 2.62.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| filebrowser | filebrowser | < 2.62.0 | 2.62.0 |
| github.com | filebrowser_filebrowser_v2 | >= 0 < 2.62.0 | 2.62.0 |
| github.com | filebrowser_filebrowser_v2 | >= 0 < 2.62.2 | 2.62.2 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution
ghsa·2026-03-31
CVE-2026-34528 [HIGH] CWE-269 File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution
## Summary
The `signupHandler` in File Browser applies default user permissions via `d.settings.Defaults.Apply(user)`, then strips only `Admin` (commit `a63573b`). The `Execute` permission and `Commands` list from the default user template are **not** stripped. When an administrator has enabled signup, server-side execution, and set `Execute=true` in the default user template, any unauthenticated user who self-registers inherits shell execution capabilities and can run arbitrary commands on the server.
## Details
### Root Cause
`signupHandler` at `http/auth.go:167–172` applies all default permissions before stripping only `Admin`:
```go
// http/auth.go
d.settings.Defaults.Apply(user) // cop
OSV
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution
osv·2026-03-31
CVE-2026-34528 [HIGH] File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution
## Summary
The `signupHandler` in File Browser applies default user permissions via `d.settings.Defaults.Apply(user)`, then strips only `Admin` (commit `a63573b`). The `Execute` permission and `Commands` list from the default user template are **not** stripped. When an administrator has enabled signup, server-side execution, and set `Execute=true` in the default user template, any unauthenticated user who self-registers inherits shell execution capabilities and can run arbitrary commands on the server.
## Details
### Root Cause
`signupHandler` at `http/auth.go:167–172` applies all default permissions before stripping only `Admin`:
```go
// http/auth.go
d.settings.Defaults.Apply(user) // cop
OSV
File Browser Signup Grants Admin When Default Permissions Include Admin in github.com/filebrowser/filebrowser
osv·2026-03-26
CVE-2026-32760 File Browser Signup Grants Admin When Default Permissions Include Admin in github.com/filebrowser/filebrowser
File Browser Signup Grants Admin When Default Permissions Include Admin in github.com/filebrowser/filebrowser
File Browser Signup Grants Admin When Default Permissions Include Admin in github.com/filebrowser/filebrowser
GHSA
File Browser Signup Grants Admin When Default Permissions Include Admin
ghsa·2026-03-16
CVE-2026-32760 [CRITICAL] CWE-269 File Browser Signup Grants Admin When Default Permissions Include Admin
File Browser Signup Grants Admin When Default Permissions Include Admin
## Summary
Any unauthenticated visitor can register a full administrator account when self-registration ( signup = true ) is enabled and the default user permissions have perm.admin = true. The signup handler blindly applies all default settings - including Perm.Admin - to the
new user without any server-side guard that strips admin from self-registered accounts.
## Details
**Affected file:** http/auth.go
**Vulnerable code:**
```go
user := &users.User{
Username: info.Username,
}
d.settings.Defaults.Apply(user)
```
**`settings.UserDefaults.Apply` (settings/defaults.go):**
```go
func (d *UserDefaults) Apply(u *users.User) {
u.Perm = d.Perm
...
}
```
**Settings API permits Admin in defaults (http/settings.go):**
```
OSV
File Browser Signup Grants Admin When Default Permissions Include Admin
osv·2026-03-16
CVE-2026-32760 [CRITICAL] File Browser Signup Grants Admin When Default Permissions Include Admin
File Browser Signup Grants Admin When Default Permissions Include Admin
## Summary
Any unauthenticated visitor can register a full administrator account when self-registration ( signup = true ) is enabled and the default user permissions have perm.admin = true. The signup handler blindly applies all default settings - including Perm.Admin - to the
new user without any server-side guard that strips admin from self-registered accounts.
## Details
**Affected file:** http/auth.go
**Vulnerable code:**
```go
user := &users.User{
Username: info.Username,
}
d.settings.Defaults.Apply(user)
```
**`settings.UserDefaults.Apply` (settings/defaults.go):**
```go
func (d *UserDefaults) Apply(u *users.User) {
u.Perm = d.Perm
...
}
```
**Settings API permits Admin in defaults (http/settings.go):**
```
No detection rules found.
No public exploits indexed.
2026-03-20
Published