CVE-2026-35607Improper Privilege Management in Filebrowser

CWE-269Improper Privilege Management5 documents5 sources
Severity
8.1HIGHNVD
EPSS
0.1%
top 74.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
FilebrowserGithub.com Filebrowser Filebrowser V2
Timeline
PublishedApr 7
Latest updateApr 8

Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the fix in commit b6a4fb1 ("self-registered users don't get execute perms") stripped Execute permission and Commands from users created via the signup handler. The same fix was not applied to the proxy auth handler. Users auto-created on first successful proxy-auth login are granted execution capabilities from global defaults, even though the s

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

CVEListV5filebrowser/filebrowser< 2.63.1

🔴Vulnerability Details

3
OSV
File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands2026-04-08
GHSA
File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands2026-04-08
CVEList
File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands2026-04-07

🕵️Threat Intelligence

1
Wiz
CVE-2026-35607 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-35607 — Improper Privilege Management | cvebase