Cyber Posture

CVE-2026-34528

HighPublic PoC

Published: 01 April 2026

Published
01 April 2026
Modified
06 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0019 41.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the signupHandler in File Browser applies default user permissions via d.settings.Defaults.Apply(user), then strips only Admin. The Execute…

more

permission and Commands list from the default user template are not stripped. When an administrator has enabled signup, server-side execution, and set Execute=true in the default user template, any unauthenticated user who self-registers inherits shell execution capabilities and can run arbitrary commands on the server. This issue has been patched in version 2.62.2.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the vulnerability by requiring timely remediation of the specific flaw in signupHandler permission stripping, as patched in version 2.62.2.

AC-6 Least Privilege good match
prevent

Enforces least privilege principle, preventing self-registered users from inheriting unnecessary Execute permission and Commands list from the default template.

AC-2 Account Management good match
prevent

Manages account lifecycle including self-registration via signup, ensuring new accounts are provisioned without excessive shell execution privileges.

Security SummaryAI

CVE-2026-34528 is a vulnerability in File Browser, an open-source file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. It affects versions prior to 2.62.2 and stems from improper handling of user permissions in the signupHandler function. Specifically, the handler applies default user permissions from the template via d.settings.Defaults.Apply(user) but strips only the Admin permission, failing to remove the Execute permission and Commands list.

Unauthenticated attackers can exploit this if an administrator has enabled signup, server-side execution, and Execute=true in the default user template. By self-registering, the attacker inherits shell execution capabilities, enabling arbitrary command execution on the server. The CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates network accessibility without privileges, high impacts on confidentiality, integrity, and availability, but requires high attack complexity due to the prerequisite configurations.

The vulnerability has been patched in File Browser version 2.62.2. Security practitioners should upgrade to this version immediately. Additional details are available in the GitHub release notes at https://github.com/filebrowser/filebrowser/releases/tag/v2.62.2 and the GitHub Security Advisory at https://github.com/filebrowser/filebrowser/security/advisories/GHSA-x8jc-jvqm-pm3f.

Details

CWE(s)
CWE-269

Affected Products

filebrowser
filebrowser
≤ 2.62.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

The vulnerability allows unauthenticated attackers to exploit a public-facing web application (File Browser) via signup to gain arbitrary shell command execution on the server.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References