CVE-2026-35607
Improper Permission Assignment in File Browser Proxy Auth
Publication date: 2026-04-07
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| filebrowser | filebrowser | to 2.63.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35607 is a privilege management vulnerability in the File Browser application affecting versions up to 2.62.2. The issue occurs because users who are automatically created via proxy authentication inherit Execute permissions and command execution capabilities from global default settings. This is contrary to the intended security policy, where users created through the signup handler have these execution rights explicitly removed.
A previous fix removed execution permissions and commands from signup-created users, but this fix was not applied to users created via proxy authentication. As a result, proxy-auth auto-created users gain unintended execution privileges without explicit administrator approval.
The vulnerability is fixed in version 2.63.1 by applying the same restrictions to proxy-auth users as those applied to signup users, removing Admin, Execute, and Commands rights by default.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized users gaining execution privileges within the File Browser environment if proxy authentication is enabled. Specifically, auto-provisioned users can execute commands such as "git", "ls", "cat", and "id" without explicit administrative approval.
Such unintended execution capabilities can allow attackers or unauthorized users to perform actions that compromise the confidentiality, integrity, and availability of the system and its data.
The impact includes potential unauthorized command execution, privilege escalation, and violation of security policies, which can lead to broader system compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if users auto-created via proxy authentication have execute permissions and command lists assigned by default, which they should not have.
Specifically, you can verify the permissions of proxy-authenticated users to see if they have 'execute: true' and a non-empty list of commands such as "git", "ls", "cat", "id".
Commands to inspect user permissions depend on your File Browser setup and access to its configuration or user data. For example, you might query the user permission settings via the File Browser API or inspect configuration files or logs that show user permissions.
Since the vulnerability involves the proxy authentication handler auto-assigning execute permissions, you should check the user permission attributes for proxy-auth users, ensuring that 'Perm.Execute' is false and 'Commands' is an empty list.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade File Browser to version 2.63.1 or later where the issue is fixed.
If upgrading is not immediately possible, manually ensure that users auto-created via proxy authentication do not have execute permissions or command lists assigned by default.
- Apply the same restrictions as the signup handler to proxy-auth auto-provisioned users by setting:
- - user.Perm.Admin = false
- - user.Perm.Execute = false
- - user.Commands = [] (empty list)
These steps prevent proxy-auth users from inheriting execution capabilities and command permissions from global defaults, closing the security gap.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows users auto-created via proxy authentication to inherit execution privileges and command permissions without explicit administrative approval, which constitutes improper privilege management.
Such unauthorized privilege escalation can lead to unauthorized access or modification of sensitive files, potentially violating security requirements mandated by common standards and regulations like GDPR and HIPAA that require strict access controls and protection of sensitive data.
Therefore, until patched, deployments using proxy authentication with default commands enabled may fail to comply with these regulations' principles of least privilege and secure user management.