Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.16, a scoped, non-admin File Browser user holding only the Create permission can delete arbitrary files outside their scope (other tenants' data, and the application's own database) via the upload failure-cleanup path. ScopedFs.RemoveAll is the one dereferencing operation that skips the symlink guard every other method enforces. The direct-upload handler runs RemoveAll on the user-controlled path during failed-upload cleanup, gated only by Perm.Create. If an escaping directory symlink already exists inside the user's scope, an authenticated create-only user can delete an out-of-scope target, bypassing both the ScopedFs boundary and the Perm.Delete gate. This vulnerability is fixed in 2.63.16.
Published: 2026-06-25
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prior to version 2.63.16, a user with only Create permission in File Browser can delete arbitrary files outside their tenant area. The vulnerability arises from the upload failure-cleanup process that calls ScopedFs.RemoveAll on a path controlled by the uploader, bypassing the symlink guard normally enforced by other methods. If a symlink already exists within the user's scoping directory that points to an exterior file or directory, that file becomes subject to deletion. The attacker gains the ability to remove third‑party tenant data or application internal files, potentially compromising data integrity and availability, and elevating their privileges beyond the intended Create scope.

Affected Systems

File Browser (filebrowser:filebrowser) versions earlier than 2.63.16 are affected. All installations using create‑only scoped users and permitting symlink creation within the user’s working directory are at risk.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, and although EPSS is not listed, the lack of mitigation in the affected versions suggests a non‑negligible exploitation probability. The exploit requires only an authenticated user with Create permission and the ability to create a symlink inside their scope, making it trivially achievable in typical multi‑tenant deployments. The vulnerability is not yet listed in the CISA KEV catalog, but the combination of high CVSS and known misuse patterns warrants proactive remediation.

Generated by OpenCVE AI on June 25, 2026 at 19:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade File Browser to version 2.63.16 or later, where ScopedFs.RemoveAll no longer bypasses symlink checks during upload cleanup.
  • If an upgrade is not immediately possible, disable or tightly restrict symlink creation for users with only Create permission, ensuring they cannot create symlinks that point outside the intended directory.
  • Audit existing user directories for symlinks that point outside the scoped area and remove them to eliminate the attack surface until a patch can be applied.

Generated by OpenCVE AI on June 25, 2026 at 19:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Filebrowser
Filebrowser filebrowser
Vendors & Products Filebrowser
Filebrowser filebrowser

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.16, a scoped, non-admin File Browser user holding only the Create permission can delete arbitrary files outside their scope (other tenants' data, and the application's own database) via the upload failure-cleanup path. ScopedFs.RemoveAll is the one dereferencing operation that skips the symlink guard every other method enforces. The direct-upload handler runs RemoveAll on the user-controlled path during failed-upload cleanup, gated only by Perm.Create. If an escaping directory symlink already exists inside the user's scope, an authenticated create-only user can delete an out-of-scope target, bypassing both the ScopedFs boundary and the Perm.Delete gate. This vulnerability is fixed in 2.63.16.
Title File Browser: Out-of-scope file deletion by a Create-only scoped user via symlink-following RemoveAll in upload failure-cleanup
Weaknesses CWE-22
CWE-59
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H'}

Subscriptions

Filebrowser Filebrowser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T02:12:47.993Z

Reserved: 2026-06-17T00:05:03.777Z

Link: CVE-2026-55667

cve-icon Vulnrichment

Updated: 2026-06-26T02:12:41.815Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T21:30:11Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')