Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the signupHandler in File Browser applies default user permissions via d.settings.Defaults.Apply(user), then strips only Admin. The Execute permission and Commands list from the default user template are not stripped. When an administrator has enabled signup, server-side execution, and set Execute=true in the default user template, any unauthenticated user who self-registers inherits shell execution capabilities and can run arbitrary commands on the server. This issue has been patched in version 2.62.2.
Published: 2026-04-01
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Server-side Command Execution via Unauthenticated Signup
Action: Patch Immediately
AI Analysis

Impact

File Browser enables management of files through a web interface. A bug in the signup process caused default user permissions to be applied without removing the Execute flag when the default user template is used. This leaves unauthenticated users who register new accounts with the ability to execute arbitrary commands on the hosting server, a high-impact privilege escalation flaw classified as CWE‑269.

Affected Systems

The flaw exists in all versions of File Browser earlier than v2.62.2 on any installation that has enabled the public signup option and configured the default user template with Execute=true.

Risk and Exploitability

The CVSS base score of 8.1 indicates a high severity level, but the EPSS of less than 1% suggests limited real-world exploitation. The vulnerability is not recorded in the CISA KEV catalog. An attacker can exploit the weakness by sending a normal registration request to a target where signup is allowed and command execution is enabled, creating an account that can subsequently run arbitrary shell commands on the server.

Generated by OpenCVE AI on April 7, 2026 at 02:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade File Browser to version 2.62.2 or later to apply the vendor patch.
  • If immediate upgrade is not possible, disable public signup and server-side command execution until the patch is installed.
  • Review the default user template configuration and ensure the Execute permission is set to false.
  • Monitor authentication logs for suspicious registration activity and audit any unintended command execution.

Generated by OpenCVE AI on April 7, 2026 at 02:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x8jc-jvqm-pm3f File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution
History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Filebrowser
Filebrowser filebrowser
Vendors & Products Filebrowser
Filebrowser filebrowser

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the signupHandler in File Browser applies default user permissions via d.settings.Defaults.Apply(user), then strips only Admin. The Execute permission and Commands list from the default user template are not stripped. When an administrator has enabled signup, server-side execution, and set Execute=true in the default user template, any unauthenticated user who self-registers inherits shell execution capabilities and can run arbitrary commands on the server. This issue has been patched in version 2.62.2.
Title File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Filebrowser Filebrowser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T14:02:45.546Z

Reserved: 2026-03-30T16:03:31.048Z

Link: CVE-2026-34528

cve-icon Vulnrichment

Updated: 2026-04-02T14:02:25.797Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T21:17:00.660

Modified: 2026-04-06T20:41:19.900

Link: CVE-2026-34528

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:07:28Z

Weaknesses