Executive Summary

CVE-2026-29188 is a broken access control vulnerability in the File Browser project affecting versions prior to 2.61.1. The issue lies in the TUS protocol DELETE endpoint, where the system incorrectly checks if a user has Create permission instead of Delete permission before allowing file or directory deletion.

This flaw allows authenticated users who only have Create permission to delete arbitrary files and directories within their scope, bypassing the intended restriction that only users with Delete permission should be able to perform deletions.

The vulnerability affects multi-user deployments where administrators restrict file deletion for certain users. The TUS DELETE handler was originally designed to cancel in-progress uploads but ends up permanently deleting files regardless of proper permissions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a critical impact by allowing unauthorized deletion of files and directories by users who should not have such permissions.

• Authenticated users with only Create permission can delete arbitrary files and directories within their scope.
• It undermines administrative controls that restrict destructive operations, potentially leading to data loss.
• The deletion is permanent and can affect the integrity and availability of data.

The severity is rated critical with a CVSS v3.1 base score of 9.1, indicating a high risk due to network attack vector, low complexity, and no need for additional privileges beyond authentication.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing whether authenticated users with only Create permission are able to delete files or directories via the TUS protocol DELETE endpoint.'}, {'type': 'paragraph', 'content': 'A practical approach is to attempt sending an HTTP DELETE request to the endpoint `/api/tus/{path}` as a user who has Create permission but lacks Delete permission.'}, {'type': 'paragraph', 'content': 'If the server responds with HTTP 204 (No Content) and the file or directory is deleted, the system is vulnerable. If it responds with HTTP 403 (Forbidden), the system is not vulnerable.'}, {'type': 'paragraph', 'content': 'Example command using curl to test this (replace placeholders accordingly):'}, {'type': 'list_item', 'content': 'curl -X DELETE -H "Authorization: Bearer <token>" https://<filebrowser-server>/api/tus/<file-or-directory-path>'}, {'type': 'paragraph', 'content': 'Monitoring network traffic for DELETE requests to `/api/tus/` endpoints from users with limited permissions can also help detect exploitation attempts.'}] [3]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended step to mitigate this vulnerability is to upgrade the filebrowser software to version 2.61.1 or later, where the permission check in the TUS protocol DELETE endpoint has been corrected.

This update ensures that only users with the proper Delete permission can delete files or directories, preventing unauthorized deletions.

If upgrading immediately is not possible, consider restricting access to the TUS DELETE endpoint or limiting user permissions to prevent users with only Create permission from performing delete operations.

Additionally, review and audit user permissions to ensure that users do not have unnecessary Create permissions if they should not be able to delete files.

Useful 0 Not Useful 0