#VU125400 Improper privilege management in FileBrowser - CVE-2026-35607
Published: April 8, 2026
Vulnerability identifier: #VU125400
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-35607
CWE-ID: CWE-269
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
FileBrowser
FileBrowser
Software vendor:
File Browser
File Browser
Description
The vulnerability allows a remote user to execute configured commands.
The vulnerability exists due to improper privilege management in the proxy authentication auto-provisioning logic when creating users on first successful proxy-auth login. A remote user can authenticate through the proxy to inherit execute permission and configured commands to execute configured commands.
Exploitation requires proxy authentication to be enabled, execution to be allowed, and default settings to include configured commands.
Remediation
Install security update from vendor's website.