Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.2 and below are vulnerable to Path Traversal through the resourcePatchHandler (http/resource.go). The destination path in resourcePatchHandler is validated against access rules before being cleaned/normalized, while the actual file operation calls path.Clean() afterward—resolving .. sequences into a different effective path. This allows an authenticated user with Create or Rename permissions to bypass administrator-configured deny rules (both prefix-based and regex-based) by injecting .. sequences in the destination parameter of a PATCH request. As a result, the user can write or move files into any deny-rule-protected path within their scope. However, this cannot be used to escape the user's BasePathFs scope or read from restricted paths. This issue has been fixed in version 2.62.0.
Published: 2026-03-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege escalation via access rule bypass
Action: Patch Now
AI Analysis

Impact

A path traversal flaw in the destination parameter of the resourcePatchHandler allows an authenticated user with Create or Rename permissions to write or move files into any path protected by administrator‑configured deny rules. The flaw occurs because the validation of access rules precedes path normalization, letting malicious path sequences such as ".." be resolved to a different effective location. As a result, attackers can place files in directories that should be off‑limits within their assigned scope, potentially subverting security policies without breaching the user’s base directory.

Affected Systems

The vulnerability affects File Browser services of the filebrowser:filebrowser product with version 2.61.2 and earlier. The product is an open‑source web‑based file manager that supports uploading, deleting, previewing, renaming and editing files within a configured directory.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The flaw is not listed in the CISA KEV catalog, giving no evidence of active exploitation in the wild. An attacker must be authenticated and possess either Create or Rename permissions to exploit the issue, and the attack vector is remote through the web interface via an HTTP PATCH request with a crafted destination parameter. The flaw cannot be used to escape the user’s BasePathFs scope or read from restricted locations, but it does enable unauthorized writes within the user’s permitted area.

Generated by OpenCVE AI on March 23, 2026 at 18:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Confirm the running version of File Browser by accessing the system information endpoint or checking the deployment metadata.
  • If the version is 2.61.2 or older, upgrade to 2.62.0 or later, where the path normalisation and access‑rule validation order has been corrected.
  • After upgrading, verify that the patchHandler no longer accepts ".." in the destination field by attempting a test rename or copy operation.
  • If an immediate upgrade is not possible, consider tightening access control by removing Create/Rename permissions from all but trusted users or disabling the PATCH operation for unauthenticated sessions.

Generated by OpenCVE AI on March 23, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9f3r-2vgw-m8xp File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter
History

Mon, 23 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Filebrowser
Filebrowser filebrowser
Vendors & Products Filebrowser
Filebrowser filebrowser

Thu, 19 Mar 2026 23:45:00 +0000

Type Values Removed Values Added
Description File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.2 and below are vulnerable to Path Traversal through the resourcePatchHandler (http/resource.go). The destination path in resourcePatchHandler is validated against access rules before being cleaned/normalized, while the actual file operation calls path.Clean() afterward—resolving .. sequences into a different effective path. This allows an authenticated user with Create or Rename permissions to bypass administrator-configured deny rules (both prefix-based and regex-based) by injecting .. sequences in the destination parameter of a PATCH request. As a result, the user can write or move files into any deny-rule-protected path within their scope. However, this cannot be used to escape the user's BasePathFs scope or read from restricted paths. This issue has been fixed in version 2.62.0.
Title File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter
Weaknesses CWE-22
CWE-863
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Filebrowser Filebrowser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T20:00:43.633Z

Reserved: 2026-03-13T18:53:03.532Z

Link: CVE-2026-32758

cve-icon Vulnrichment

Updated: 2026-03-20T20:00:39.078Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T00:16:17.093

Modified: 2026-03-23T16:55:20.893

Link: CVE-2026-32758

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:10:33Z

Weaknesses