CVE-2026-29188

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f	Patch
https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1	Release Notes
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-05 21:16

Updated : 2026-03-10 19:42

NVD link : CVE-2026-29188

Mitre link : CVE-2026-29188

CVE.ORG link : CVE-2026-29188

JSON object : View

Products Affected

filebrowser

filebrowser

CWE

CWE-284

Improper Access Control

CWE-732

Incorrect Permission Assignment for Critical Resource

{"id": "CVE-2026-29188", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2026-03-05T21:16:23.097", "references": [{"url": "https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-732"}]}], "descriptions": [{"lang": "en", "value": "File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1."}, {"lang": "es", "value": "File Browser proporciona una interfaz de gesti\u00f3n de archivos dentro de un directorio especificado y puede utilizarse para subir, eliminar, previsualizar, renombrar y editar archivos. Antes de la versi\u00f3n 2.61.1, una vulnerabilidad de control de acceso roto en el endpoint DELETE del protocolo TUS permite a usuarios autenticados con solo permiso de Creaci\u00f3n eliminar archivos y directorios arbitrarios dentro de su alcance, eludiendo la restricci\u00f3n de permiso de Eliminaci\u00f3n prevista. Cualquier despliegue multiusuario donde los administradores restringen expl\u00edcitamente la eliminaci\u00f3n de archivos para ciertos usuarios se ve afectado. Este problema ha sido parcheado en la versi\u00f3n 2.61.1."}], "lastModified": "2026-03-10T19:42:36.507", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C933E37A-6BEC-42C8-88CC-D8FD69116058", "versionEndExcluding": "2.61.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}