CVE-2026-62685 in File Browser
Summary
by MITRE • 07/15/2026
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser builds new user scopes from usernames passed through cleanUsername() when Signup=true and CreateUserDir=true, but the many-to-one normalization can collapse usernames such as team/one, team one, and team-one to the same home directory without checking whether the resulting scope is already taken, allowing a second registrant to gain full read and write access to another user's files. This issue is fixed in version 2.63.17.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/15/2026
The vulnerability described affects File Browser versions prior to 2.63.17 and represents a critical directory traversal and privilege escalation issue stemming from inadequate user scope validation during the registration process. This flaw occurs when the system operates with Signup=true and CreateUserDir=true configuration parameters, creating conditions where multiple distinct usernames can be normalized to identical directory paths through the cleanUsername() function. The technical implementation fails to perform proper collision detection or validation checks before establishing new user scopes, allowing for the creation of overlapping directory structures that compromise file access controls.
The core technical flaw manifests in the normalization process where usernames containing special characters such as forward slashes, spaces, and hyphens are processed through cleanUsername() function without sufficient sanitization to prevent ambiguous mappings. Usernames like "team/one", "team one", and "team-one" all resolve to identical directory structures, creating a scenario where multiple users can inadvertently share the same home directory. This normalization behavior violates fundamental security principles by allowing arbitrary user registration to overwrite or access existing user directories without proper authorization checks or conflict resolution mechanisms.
The operational impact of this vulnerability extends beyond simple data exposure to encompass complete privilege escalation capabilities for authenticated users. When a second user registers with a normalized username that maps to an existing directory, they gain full read and write permissions to another user's files, effectively bypassing the intended access controls and file isolation mechanisms. This creates a persistent security risk where legitimate users lose control over their file directories and unauthorized users can access sensitive information through simple registration attacks. The vulnerability operates as a privilege escalation vector that undermines the core authentication and authorization model of the file browser system.
Security professionals should note this issue aligns with CWE-285 (Improper Authorization) and CWE-74 (Improper Neutralization of Special Elements in Output), while also demonstrating characteristics of privilege escalation techniques found in ATT&CK matrix under T1078 (Valid Accounts) and T1566 (Phishing). The vulnerability exploits weak input validation and normalization processes that should have been addressed through proper access control checks and unique identifier generation. Organizations using File Browser versions prior to 2.63.17 must immediately implement the patch that resolves the username normalization collision handling, ensuring that each user scope is properly validated against existing directories before creation.
Mitigation strategies should include immediate deployment of version 2.63.17 or higher to address the core normalization issue, followed by implementation of additional access control measures such as regular directory audits and monitoring for unexpected user scope creations. System administrators should also consider implementing input validation rules that prevent problematic username patterns from being normalized in ways that could create directory collisions. The fix in version 2.63.17 addresses this through enhanced collision detection mechanisms that verify whether a proposed user scope already exists before allowing new user registration to proceed, preventing the scenario where multiple users can inadvertently share the same file access permissions.