Plattform
go
Komponente
github.com/filebrowser/filebrowser/v2
Behoben in
2.62.1
2.62.0
CVE-2026-32758 describes a Path Traversal vulnerability discovered in Filebrowser v2. This flaw allows authenticated users to bypass configured access rules and potentially manipulate files within the system. The vulnerability stems from an issue in how the destination path is validated before file operations. Users on versions prior to 2.62.0 are affected, and upgrading is the recommended remediation.
An attacker exploiting this vulnerability can bypass administrator-configured deny rules, effectively gaining unauthorized access to files and directories within the Filebrowser instance. This could lead to data exfiltration, modification of critical files, or even the execution of arbitrary code if the attacker can leverage the file manipulation to inject malicious scripts or binaries. The potential blast radius depends on the sensitivity of the files stored and managed by Filebrowser, and the level of access granted to the authenticated user exploiting the vulnerability. While the vulnerability requires authentication, the ability to bypass access controls significantly expands the attack surface.
CVE-2026-32758 was publicly disclosed on 2026-03-16. There is no indication of active exploitation campaigns at this time, and it is not currently listed on the CISA KEV catalog. The vulnerability's reliance on authentication suggests a lower probability of widespread exploitation compared to vulnerabilities that can be exploited anonymously. Public proof-of-concept (PoC) code is not currently available, but the vulnerability's nature makes it likely that PoCs will emerge.
Exploit-Status
EPSS
0.01% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-32758 is to upgrade Filebrowser to version 2.62.0 or later, which includes the necessary fix. If an immediate upgrade is not feasible, consider implementing stricter access controls within Filebrowser to limit the potential impact of a successful exploit. Review and harden existing deny rules to ensure they are as restrictive as possible. While a WAF might offer some protection, it's unlikely to be effective against this type of bypass, as the vulnerability lies within the application logic itself. Monitor Filebrowser logs for suspicious activity, particularly attempts to access files outside of expected directories.
Actualice File Browser a la versión 2.62.0 o superior. Esta versión corrige la vulnerabilidad de path traversal que permite eludir las reglas de acceso configuradas por el administrador. La actualización evitará que usuarios autenticados con permisos de creación o renombrado puedan escribir o mover archivos a rutas protegidas.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Filebrowser is an open-source web file browser for accessing files on a server.
Verify the version of Filebrowser you are using. If it's prior to 2.62.0, you are vulnerable.
CVSS 6.5 indicates a moderate risk. It means the vulnerability could be exploited relatively easily and could have a significant impact on the confidentiality, integrity, or availability of the system.
If you cannot update immediately, consider restricting access to Filebrowser to trusted users and monitoring system logs for suspicious activity.
You can find more information about this vulnerability in vulnerability databases such as NIST NVD.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.