Description
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1.
Published: 2026-03-05
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion of files by users lacking delete permission
Action: Patch Immediately
AI Analysis

Impact

File Browser implements a TUS protocol DELETE endpoint that should enforce delete permissions. Users who only have Create rights can send a DELETE request and remove any file or directory within the scope granted to them, bypassing the intended Delete permission check. This broken access control flaw violates the principle of least privilege (CWE-284) and leads to unauthorized modification or removal of data, causing potential loss of integrity and availability. The vulnerability is purely an access‑control weakness; it does not allow arbitrary code execution or remote code execution but enables privileged escalation within the application’s file management subsystem.

Affected Systems

The flaw exists in File Browser v2.60 and earlier, up to the release of v2.61.1. Any multi‑user deployment where administrators limit file deletion for certain users is affected. The product is identified in the Vendor/Product list as filebrowser/filebrowser and is documented in the public GitHub releases and advisory.

Risk and Exploitability

The CVSS score of 9.1 indicates critical severity, and the EPSS score of less than 1% suggests that exploitation attempts are rare but possible. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to be authenticated with a role that includes Create permission; no special network conditions or additional software are required. Once authenticated, the attacker can issue a TUS DELETE request to arbitrary paths within their permitted scope, bypassing the Delete permission check and deleting files or directories. The attack path is straightforward, and the impact is localized to the affected instance’s file hierarchy. Because the flaw affects privileged users, the risk to overall system integrity remains high.

Generated by OpenCVE AI on April 17, 2026 at 12:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade File Browser to version 2.61.1 or later to incorporate the vendor fix that restores proper delete permission enforcement.
  • Re‑evaluate and tighten user roles so that users who should not delete files do not possess Delete or Create permissions; remove Create‑only roles if unnecessary.
  • Confirm that all remaining user accounts have only the permissions they require for their responsibilities, and audit permissions for any unexpected privileges.
  • If an upgrade is not immediately possible, enforce network or application‑level restrictions against the TUS DELETE endpoint for non‑administrator users.

Generated by OpenCVE AI on April 17, 2026 at 12:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-79pf-vx4x-7jmm File Browser's TUS Delete Endpoint Bypasses Delete Permission Check
History

Tue, 10 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Filebrowser
Filebrowser filebrowser
Vendors & Products Filebrowser
Filebrowser filebrowser

Fri, 06 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1.
Title File Browser: TUS Delete Endpoint Bypasses Delete Permission Check
Weaknesses CWE-284
CWE-732
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Filebrowser Filebrowser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T10:41:10.751Z

Reserved: 2026-03-04T14:44:00.714Z

Link: CVE-2026-29188

cve-icon Vulnrichment

Updated: 2026-03-06T10:41:06.817Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T21:16:23.097

Modified: 2026-03-10T19:42:36.507

Link: CVE-2026-29188

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:45:16Z

Weaknesses