CVE-2026-55668
Deferred Deferred - Pending Action

Symlink Bypass in File Browser via ScopedFs

Vulnerability report for CVE-2026-55668, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

File Browser provides a web file managing interface. Prior to 2.63.16, ScopedFs validates the nearest existing ancestor of a dangling symlink as in scope and then follows the symlink during file creation, allowing an authenticated user with Create and Modify permissions to create attacker-controlled files outside the user's scope. This issue is fixed in version 2.63.16.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
filebrowser filebrowser 2.63.16

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in File Browser versions prior to 2.63.16 within the ScopedFs component. It occurs because the system validates the nearest existing ancestor directory of a dangling symlink (a symlink pointing to a non-existent target) rather than the symlink itself during file creation operations.

This flaw allows an authenticated user with Create and Modify permissions to exploit dangling symlinks to create files outside their authorized scope. Essentially, by creating a dangling symlink inside their allowed directory that points to an out-of-scope location, the user can write attacker-controlled files anywhere writable on the system, including locations belonging to other users.

The issue is fixed in version 2.63.16 by properly validating symlink targets and preventing scope escapes through dangling symlinks.

Compliance Impact

The vulnerability allows authenticated users to create attacker-controlled files outside their designated scope, including in other users' directories. This unauthorized file creation could lead to data integrity issues and potential unauthorized data access or modification.

Such unauthorized file operations may impact compliance with standards like GDPR and HIPAA, which require strict access controls and data integrity protections to prevent unauthorized data manipulation or exposure.

By enabling cross-tenant file creation and scope escapes, the vulnerability could undermine the enforcement of data segregation and access policies mandated by these regulations.

Detection Guidance

This vulnerability involves the exploitation of dangling symlinks within the File Browser application to create files outside a user's scope. Detection would involve identifying the presence of dangling symlinks that point outside the allowed directory scope and monitoring file creation requests that follow these symlinks.

Since the vulnerability is specific to File Browser versions prior to 2.63.16, the first step is to verify the version of File Browser running on your system.

  • Check the File Browser version to confirm if it is older than 2.63.16.
  • Scan the file system within the File Browser scope for dangling symlinks (symlinks pointing to non-existent targets). For example, on a Unix-like system, you can use the command: find /path/to/filebrowser/root -xtype l
  • Inspect logs or monitor API calls to endpoints like POST /api/resources/ for suspicious file creation activities that might be targeting paths outside the user’s scope.

There are no specific commands provided in the resources for detecting exploitation attempts, but the above steps can help identify potential indicators of this vulnerability.

Impact Analysis

This vulnerability can have significant security impacts by allowing an authenticated user to create arbitrary files outside their designated scope.

  • An attacker can write malicious or unauthorized files into directories they should not have access to.
  • It can lead to cross-tenant attacks where one user writes files into another user's directory.
  • This unauthorized file creation can be used to escalate privileges, inject malicious code, or disrupt system operations.

Overall, it compromises the integrity and isolation guarantees of the file management system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade File Browser to version 2.63.16 or later, where the issue has been fixed.

The fix prevents writes through dangling symlinks that escape the user's scope by properly validating symlink targets before allowing file creation.

Additionally, the update handles relative symlinks correctly and blocks delete operations that could escape the scope via symlinked ancestors.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55668. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart