SB20260408139 - Multiple vulnerabilities in FileBrowser
Published: April 8, 2026 Updated: June 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Improper privilege management (CVE-ID: CVE-2026-32760)
CWE-ID: CWE-269 - Improper Privilege Management
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to gain administrative access.
The vulnerability exists due to improper privilege management in the signup handler in http/auth.go when processing self-registration requests. A remote attacker can register a new account through the public signup endpoint to gain administrative access.
Exploitation is possible only when self-registration is enabled and the default user permissions include administrative privileges.
2) Path traversal (CVE-ID: CVE-2026-32758)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass access rules and write or move files into restricted paths.
The vulnerability exists due to path traversal in the resourcePatchHandler destination parameter when handling PATCH copy or rename requests. A remote user can send a specially crafted PATCH request with dot-dot sequences in the destination parameter to bypass access rules and write or move files into restricted paths.
Exploitation requires Create or Rename permissions, and the issue affects administrator-configured deny rules within the user's BasePathFs scope.
3) Incorrect authorization (CVE-ID: CVE-2026-32761)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to incorrect authorization in the public share download flow when handling public share download requests for files shared by a user without download privileges. A remote user can create a public share link and retrieve the shared file content to disclose sensitive information.
Exploitation requires an authenticated user account with share permission enabled while download permission is denied, and the exposed content can then be accessed through an unauthenticated public share URL.
4) Input validation error (CVE-ID: CVE-2026-32759)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to trigger configured after_upload hooks prematurely.
The vulnerability exists due to improper input validation in the TUS resumable upload handler in http/tus_handlers.go when processing a negative Upload-Length header during upload registration and PATCH handling. A remote user can send a crafted upload request sequence with a negative Upload-Length value to trigger configured after_upload hooks prematurely.
Exploitation requires upload permission, and the impact is amplified when exec hooks are enabled.
Remediation
Install update from vendor's website.
References
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-5gg9-5g7w-hm73
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-9f3r-2vgw-m8xp
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-68j5-4m99-w9w9
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-ffx7-75gc-jg7c
- https://github.com/filebrowser/filebrowser/issues/5199