CVE-2026-29188
Broken Access Control in File Browser TUS DELETE Endpoint
Publication date: 2026-03-05
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| filebrowser | filebrowser | to 2.61.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-29188 is a broken access control vulnerability in the File Browser project affecting versions prior to 2.61.1. The issue lies in the TUS protocol DELETE endpoint, where the system incorrectly checks if a user has Create permission instead of Delete permission before allowing file or directory deletion.
This flaw allows authenticated users who only have Create permission to delete arbitrary files and directories within their scope, bypassing the intended restriction that only users with Delete permission should be able to perform deletions.
The vulnerability affects multi-user deployments where administrators restrict file deletion for certain users. The TUS DELETE handler was originally designed to cancel in-progress uploads but ends up permanently deleting files regardless of proper permissions.
How can this vulnerability impact me? :
This vulnerability can have a critical impact by allowing unauthorized deletion of files and directories by users who should not have such permissions.
- Authenticated users with only Create permission can delete arbitrary files and directories within their scope.
- It undermines administrative controls that restrict destructive operations, potentially leading to data loss.
- The deletion is permanent and can affect the integrity and availability of data.
The severity is rated critical with a CVSS v3.1 base score of 9.1, indicating a high risk due to network attack vector, low complexity, and no need for additional privileges beyond authentication.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing whether authenticated users with only Create permission are able to delete files or directories via the TUS protocol DELETE endpoint.'}, {'type': 'paragraph', 'content': 'A practical approach is to attempt sending an HTTP DELETE request to the endpoint `/api/tus/{path}` as a user who has Create permission but lacks Delete permission.'}, {'type': 'paragraph', 'content': 'If the server responds with HTTP 204 (No Content) and the file or directory is deleted, the system is vulnerable. If it responds with HTTP 403 (Forbidden), the system is not vulnerable.'}, {'type': 'paragraph', 'content': 'Example command using curl to test this (replace placeholders accordingly):'}, {'type': 'list_item', 'content': 'curl -X DELETE -H "Authorization: Bearer <token>" https://<filebrowser-server>/api/tus/<file-or-directory-path>'}, {'type': 'paragraph', 'content': 'Monitoring network traffic for DELETE requests to `/api/tus/` endpoints from users with limited permissions can also help detect exploitation attempts.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended step to mitigate this vulnerability is to upgrade the filebrowser software to version 2.61.1 or later, where the permission check in the TUS protocol DELETE endpoint has been corrected.
This update ensures that only users with the proper Delete permission can delete files or directories, preventing unauthorized deletions.
If upgrading immediately is not possible, consider restricting access to the TUS DELETE endpoint or limiting user permissions to prevent users with only Create permission from performing delete operations.
Additionally, review and audit user permissions to ensure that users do not have unnecessary Create permissions if they should not be able to delete files.