CVE-2026-32760
Received Received - Intake
Privilege Escalation in File Browser via Unrestricted Admin Self-Registration

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, any unauthenticated visitor can register a full administrator account when self-registration (signup = true) is enabled and the default user permissions have perm.admin = true. The signup handler blindly applies all default settings (including Perm.Admin) to the new user without any server-side guard that strips admin from self-registered accounts. The signupHandler is supposed to create unprivileged accounts for new visitors. It contains no explicit user.Perm.Admin = false reset after applying defaults. If an administrator (intentionally or accidentally) configures defaults.perm.admin = true and also enables signup, every account created via the public registration endpoint is an administrator with full control over all files, users, and server settings. This issue has been resolved in version 2.62.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-05-07
AI Q&A
2026-03-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-32760
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
filebrowser filebrowser to 2.62.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-32760 is a critical vulnerability in the File Browser application (versions 2.61.2 and below) that allows any unauthenticated visitor to register a full administrator account if self-registration (signup) is enabled and the default user permissions include admin rights.

The root cause is that the signup handler blindly applies all default user settings, including administrative privileges, without any server-side check to remove admin rights from self-registered accounts. This means that if an administrator configures the system to give new users admin permissions by default and enables signup, every new user created through the public signup endpoint gains full administrative control.

This issue was fixed in version 2.62.0 by explicitly resetting the admin permission to false for all self-registered users, preventing unauthorized privilege escalation.


How can this vulnerability impact me? :

This vulnerability allows an attacker with no authentication to create an administrator account on the File Browser server if signup is enabled with default admin permissions.

  • Attackers gain full administrative control over the server.
  • They can list, read, modify, and delete all files managed by the server.
  • They can create, modify, and delete all user accounts.
  • They can change authentication methods and server settings.
  • If the server has command execution enabled, attackers can execute arbitrary commands.

Overall, this leads to a complete compromise of confidentiality, integrity, and availability of the File Browser server.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the File Browser instance has self-registration (signup) enabled and if the default user permissions include administrative rights (perm.admin = true). An unauthenticated user can then register an administrator account via the public signup endpoint.'}, {'type': 'paragraph', 'content': 'To verify if the vulnerability is present, you can attempt to register a new user via the public signup API endpoint and then check if the new user has administrative privileges.'}, {'type': 'paragraph', 'content': 'Example commands to test this might include:'}, {'type': 'list_item', 'content': 'Use curl to register a new user via the signup endpoint: curl -X POST http://<filebrowser-server>/api/signup -d \'{"username":"testuser","password":"testpass"}\' -H \'Content-Type: application/json\''}, {'type': 'list_item', 'content': "Attempt to access an admin-only endpoint with the new user's credentials, for example: curl -u testuser:testpass http://<filebrowser-server>/api/users"}, {'type': 'paragraph', 'content': 'If the new user can access admin-only endpoints, the system is vulnerable.'}] [2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include:

  • Disable self-registration (signup) if it is currently enabled to prevent unauthenticated users from creating accounts.
  • Ensure that the default user permissions do not include administrative rights (perm.admin = false) for new users.
  • Upgrade File Browser to version 2.62.0 or later, where the vulnerability has been fixed by explicitly resetting admin privileges for self-registered users.

These steps will prevent unauthorized privilege escalation through the signup handler.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart