CVE-2026-32760 in filebrowser
Summary
by MITRE • 03/20/2026
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, any unauthenticated visitor can register a full administrator account when self-registration (signup = true) is enabled and the default user permissions have perm.admin = true. The signup handler blindly applies all default settings (including Perm.Admin) to the new user without any server-side guard that strips admin from self-registered accounts. The signupHandler is supposed to create unprivileged accounts for new visitors. It contains no explicit user.Perm.Admin = false reset after applying defaults. If an administrator (intentionally or accidentally) configures defaults.perm.admin = true and also enables signup, every account created via the public registration endpoint is an administrator with full control over all files, users, and server settings. This issue has been resolved in version 2.62.0.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/25/2026
This vulnerability exists within File Browser, a web-based file management interface that allows users to perform operations such as uploading, deleting, previewing, renaming, and editing files within specified directories. The flaw specifically affects versions 2.61.2 and earlier, where the system's user registration mechanism fails to properly validate and sanitize administrative privileges during account creation. The vulnerability stems from the system's configuration where self-registration is enabled through the signup = true parameter, combined with default user permissions that inadvertently grant administrative access. When administrators configure the system with defaults.perm.admin = true alongside enabled signup functionality, the system creates a critical security gap that allows any unauthenticated visitor to gain full administrative privileges upon registration.
The technical implementation flaw lies in the signupHandler function which processes new user registrations without implementing proper privilege sanitization. This handler blindly applies all default configuration settings, including administrative permissions, to newly created accounts without any server-side validation or explicit removal of administrative privileges. The system's design assumes that all new users should start with default permissions, but fails to account for the scenario where these defaults might include administrative capabilities. This represents a classic privilege escalation vulnerability where default configuration settings are not properly validated against the intended security model. The vulnerability directly maps to CWE-276, which addresses inadequate privilege management, and specifically demonstrates poor input validation and privilege control mechanisms.
The operational impact of this vulnerability is severe and far-reaching, as it allows any anonymous user to gain complete administrative control over the File Browser system. Once an attacker registers an account through the public registration endpoint, they immediately possess full control over all files, user accounts, and system settings within the managed directory structure. This includes the ability to delete, modify, or exfiltrate sensitive data, create additional administrative accounts, modify system configurations, and potentially escalate their access further within the network environment. The vulnerability essentially transforms a legitimate file management interface into a full compromise vector, as the system's default security model is bypassed entirely. This aligns with ATT&CK technique T1078.004, which covers legitimate credentials obtained through default accounts, and represents a critical failure in the principle of least privilege.
The mitigation strategy involves upgrading to version 2.62.0 or later, which addresses the core issue by implementing proper privilege sanitization during user registration. Organizations should also immediately review their configuration settings to ensure that defaults.perm.admin is not set to true when signup functionality is enabled. The system administrators must implement explicit privilege controls that prevent automatic administrative assignment to new users, regardless of default configuration values. Additionally, organizations should consider implementing additional security measures such as rate limiting for registration attempts, monitoring for unusual registration patterns, and regular security audits of configuration files to prevent similar misconfigurations. The vulnerability highlights the importance of proper privilege management and the need for explicit security controls even when default configurations might seem innocuous.