Improper privilege management in FileBrowser - CVE-2026-35607
Published: April 8, 2026
Vulnerability identifier: #VU125400
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-35607
CWE-ID: CWE-269
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: File Browser
Affected software:
FileBrowser
FileBrowser
Detailed vulnerability description
The vulnerability allows a remote user to execute configured commands.
The vulnerability exists due to improper privilege management in the proxy authentication auto-provisioning logic when creating users on first successful proxy-auth login. A remote user can authenticate through the proxy to inherit execute permission and configured commands to execute configured commands.
Exploitation requires proxy authentication to be enabled, execution to be allowed, and default settings to include configured commands.
How to mitigate CVE-2026-35607
Install security update from vendor's website.