CVE-2026-34528
published 2026-04-01CVE-2026-34528: File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.65%
46.7th percentile
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the signupHandler in File Browser applies default user permissions via d.settings.Defaults.Apply(user), then strips only Admin. The Execute permission and Commands list from the default user template are not stripped. When an administrator has enabled signup, server-side execution, and set Execute=true in the default user template, any unauthenticated user who self-registers inherits shell execution capabilities and can run arbitrary commands on the server. This issue has been patched in version 2.62.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| filebrowser | filebrowser | < 2.62.2 | 2.62.2 |
| github.com | filebrowser_filebrowser_v2 | >= 0 < 2.62.2 | 2.62.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution
ghsa·2026-03-31
CVE-2026-34528 [HIGH] CWE-269 File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution
## Summary
The `signupHandler` in File Browser applies default user permissions via `d.settings.Defaults.Apply(user)`, then strips only `Admin` (commit `a63573b`). The `Execute` permission and `Commands` list from the default user template are **not** stripped. When an administrator has enabled signup, server-side execution, and set `Execute=true` in the default user template, any unauthenticated user who self-registers inherits shell execution capabilities and can run arbitrary commands on the server.
## Details
### Root Cause
`signupHandler` at `http/auth.go:167–172` applies all default permissions before stripping only `Admin`:
```go
// http/auth.go
d.settings.Defaults.Apply(user) // cop
OSV
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution
osv·2026-03-31
CVE-2026-34528 [HIGH] File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution
## Summary
The `signupHandler` in File Browser applies default user permissions via `d.settings.Defaults.Apply(user)`, then strips only `Admin` (commit `a63573b`). The `Execute` permission and `Commands` list from the default user template are **not** stripped. When an administrator has enabled signup, server-side execution, and set `Execute=true` in the default user template, any unauthenticated user who self-registers inherits shell execution capabilities and can run arbitrary commands on the server.
## Details
### Root Cause
`signupHandler` at `http/auth.go:167–172` applies all default permissions before stripping only `Admin`:
```go
// http/auth.go
d.settings.Defaults.Apply(user) // cop
No detection rules found.
No public exploits indexed.
2026-04-01
Published