CVE-2026-29188 in filebrowser
Summary
by MITRE • 03/05/2026
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/11/2026
The vulnerability described in CVE-2026-29188 represents a critical access control flaw within the File Browser application that undermines the security model of multi-user deployments. This issue specifically affects the TUS protocol DELETE endpoint implementation, which is used for resumable file uploads and management operations. The vulnerability manifests when authenticated users possess only the Create permission level but are able to execute delete operations on files and directories within their designated scope. This represents a direct violation of the principle of least privilege and demonstrates a fundamental breakdown in the permission enforcement mechanisms that should protect file system integrity. The flaw exists in versions prior to 2.61.1, indicating that the developers were aware of the security implications but failed to properly implement access controls until the patch release.
The technical implementation of this vulnerability stems from improper authorization checks within the TUS protocol handling component of File Browser. When users attempt to delete files through the TUS DELETE endpoint, the system fails to validate whether the authenticated user possesses the necessary Delete permission before executing the removal operation. This misconfiguration allows users who have Create permissions but not Delete permissions to bypass the intended access controls. The vulnerability specifically targets the directory scope management functionality, enabling attackers to delete arbitrary files and directories that fall within their access boundaries, effectively creating a privilege escalation scenario where users can perform actions beyond their assigned permissions. This flaw is particularly concerning in multi-user environments where administrators have explicitly configured restricted permissions for certain users or groups.
The operational impact of this vulnerability extends beyond simple unauthorized file deletion, as it fundamentally compromises the security posture of any File Browser deployment that relies on granular permission controls. In multi-user environments, administrators typically implement role-based access controls to prevent certain users from deleting files they created or to restrict access to sensitive directories. This vulnerability allows authenticated users to circumvent these protections, potentially leading to data loss, information disclosure, and system integrity compromise. The vulnerability affects any deployment where administrators have explicitly restricted file deletion permissions, making it particularly dangerous in enterprise environments where file access control is critical for compliance and security requirements. Attackers could exploit this flaw to remove important documents, corrupt file structures, or systematically delete files that are protected by administrative policies.
This vulnerability aligns with CWE-285, which addresses improper authorization within software systems, and represents a clear violation of the access control principles that should govern all file management operations. The flaw also maps to ATT&CK technique T1078.004, which covers valid accounts used for unauthorized access, as it exploits legitimate authenticated user sessions to perform unauthorized operations. Organizations using File Browser in production environments should immediately assess their deployment configurations to determine if users have been granted Create permissions without proper Delete permission restrictions. The patch implemented in version 2.61.1 addresses this issue by strengthening authorization checks within the TUS protocol DELETE endpoint, ensuring that all delete operations are properly validated against user permissions before execution. Security teams should implement comprehensive testing procedures to verify that access control mechanisms function correctly after applying the patch and should monitor for any unauthorized deletion activities that may have occurred prior to the vulnerability fix.