CVE-2026-32758
Received Received - Intake
Path Traversal in File Browser resourcePatchHandler Allows Unauthorized File Writes

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.2 and below are vulnerable to Path Traversal through the resourcePatchHandler (http/resource.go). The destination path in resourcePatchHandler is validated against access rules before being cleaned/normalized, while the actual file operation calls path.Clean() afterwardβ€”resolving .. sequences into a different effective path. This allows an authenticated user with Create or Rename permissions to bypass administrator-configured deny rules (both prefix-based and regex-based) by injecting .. sequences in the destination parameter of a PATCH request. As a result, the user can write or move files into any deny-rule-protected path within their scope. However, this cannot be used to escape the user's BasePathFs scope or read from restricted paths. This issue has been fixed in version 2.62.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32758
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
filebrowser filebrowser to 2.62.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The immediate and recommended mitigation step is to upgrade File Browser to version 2.62.0 or later, where the vulnerability has been fixed.

The fix involves sanitizing and normalizing the source and destination paths by applying URL unescaping and path cleaning before access rule checks, preventing path traversal bypass.

If upgrading immediately is not possible, consider restricting PATCH requests to trusted users only and monitoring for suspicious path traversal patterns in destination parameters.

Review and tighten access rules and permissions to minimize the risk of exploitation by authenticated users with Create or Rename permissions.

Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-32758 is a path traversal vulnerability in File Browser versions 2.61.2 and below. It occurs because the destination path in the resourcePatchHandler is validated against access rules before the path is normalized (cleaned). The access rules check the raw, uncleaned path, while the actual file operation cleans the path afterward, resolving any '..' sequences. This discrepancy allows an authenticated user with Create or Rename permissions to bypass administrator-configured deny rules by injecting '..' sequences in the destination parameter of a PATCH request."}, {'type': 'paragraph', 'content': "As a result, the user can write or move files into any deny-rule-protected path within their scope, bypassing both prefix-based and regex-based deny rules. However, this vulnerability does not allow escaping the user's base filesystem scope or reading from restricted paths."}] [1]

Impact Analysis

This vulnerability allows an authenticated user with Create or Rename permissions to bypass deny rules and write or move files into restricted paths within their allowed scope. This means unauthorized file modifications can occur in areas that administrators intended to protect.

The impact is an integrity violation, as unauthorized file writes or moves can compromise the integrity of the file system or application data. However, confidentiality and availability are not affected, and the user cannot read restricted files or escape their base filesystem scope.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring PATCH HTTP requests to the File Browser server, specifically those that include a destination parameter with path traversal sequences such as "..".'}, {'type': 'paragraph', 'content': 'A practical detection method is to inspect network traffic or server logs for PATCH requests where the destination parameter contains ".." sequences that could bypass access rules.'}, {'type': 'paragraph', 'content': 'For example, you can use command-line tools like curl or tcpdump to capture and analyze such requests.'}, {'type': 'list_item', 'content': 'Use tcpdump or Wireshark to filter HTTP PATCH requests to the File Browser server and look for destination parameters containing ".." sequences.'}, {'type': 'list_item', 'content': "Example tcpdump command: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'PATCH'"}, {'type': 'list_item', 'content': "Use grep or similar tools on File Browser access logs to find PATCH requests with suspicious destination parameters, e.g., grep 'PATCH' access.log | grep 'destination=.*\\.\\.'"}, {'type': 'paragraph', 'content': 'Additionally, checking the File Browser version installed can help detect if the system is vulnerable (versions 2.61.2 and below are affected).'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32758. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart