Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the fix in commit b6a4fb1 ("self-registered users don't get execute perms") stripped Execute permission and Commands from users created via the signup handler. The same fix was not applied to the proxy auth handler. Users auto-created on first successful proxy-auth login are granted execution capabilities from global defaults, even though the signup path was explicitly changed to prevent execution rights from being inherited by automatically provisioned accounts. This vulnerability is fixed in 2.63.1.
Published: 2026-04-07
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Execution privilege escalation via auto‑provisioned proxy authentication
Action: Immediate Patch
AI Analysis

Impact

File Browser allows automated user creation through its proxy authentication handler. A regression in versions before 2.63.1 caused these auto‑provisioned accounts to receive execute permissions and command capabilities from global defaults, even though the signup route was corrected to remove such rights. This enables a malicious actor who can trigger a proxy‑auth login for a new user to gain the ability to run arbitrary commands on the server. The weakness is classified as an Improper Authorization issue (CWE‑269).

Affected Systems

All deployments of File Browser running a version earlier than 2.63.1 are vulnerable, regardless of the specific installation method. The issue originates in the proxy authentication code path and affects automatically created user accounts. It does not affect pre‑existing accounts that were created through standard signup, nor versions 2.63.1 and newer.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score is less than 1% (0.00089), demonstrating a very low but non‑zero exploitation probability. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog, suggesting there are no confirmed, widespread attacks yet. An attacker who can influence the proxy authentication flow could instantiate a privileged account and potentially execute code on the host. The vulnerability exists in a publicly accessible web interface and can be triggered by any proxy‑authenticated user.

Generated by OpenCVE AI on April 17, 2026 at 09:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade File Browser to version 2.63.1 or newer.
  • Disable or restrict proxy authentication to trusted sources to prevent unauthorized auto‑provisioning.
  • Verify that new user accounts are not granted execute permissions unless explicitly required.

Generated by OpenCVE AI on April 17, 2026 at 09:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7526-j432-6ppp File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands
History

Thu, 16 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Filebrowser
Filebrowser filebrowser
Vendors & Products Filebrowser
Filebrowser filebrowser
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the fix in commit b6a4fb1 ("self-registered users don't get execute perms") stripped Execute permission and Commands from users created via the signup handler. The same fix was not applied to the proxy auth handler. Users auto-created on first successful proxy-auth login are granted execution capabilities from global defaults, even though the signup path was explicitly changed to prevent execution rights from being inherited by automatically provisioned accounts. This vulnerability is fixed in 2.63.1.
Title File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Filebrowser Filebrowser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T18:50:24.867Z

Reserved: 2026-04-03T21:25:12.163Z

Link: CVE-2026-35607

cve-icon Vulnrichment

Updated: 2026-04-08T18:50:15.519Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T17:16:34.890

Modified: 2026-04-16T18:14:56.710

Link: CVE-2026-35607

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T10:00:03Z

Weaknesses