Plattform
go
Komponente
github.com/filebrowser/filebrowser/v2
Behoben in
2.63.2
2.63.1
CVE-2026-35607 is a Remote Code Execution (RCE) vulnerability affecting Filebrowser v2. This flaw allows attackers to execute arbitrary commands on the server if they can successfully authenticate via the proxy authentication handler and are automatically provisioned as a user. The vulnerability impacts versions prior to 2.63.1 and has been addressed in that release.
An attacker can exploit this vulnerability to gain complete control over the filebrowser server. By successfully authenticating through the proxy authentication mechanism, an attacker can trigger the creation of a user account with elevated privileges, specifically the ability to execute commands. This allows for arbitrary code execution, potentially leading to data theft, system compromise, and further lateral movement within the network. The impact is significant, as an attacker could effectively take over the entire server and potentially access sensitive files stored within the filebrowser instance.
This vulnerability was publicly disclosed on 2026-04-08. There is no indication of active exploitation at this time, but the ease of exploitation and the potential impact suggest it could become a target. No KEV listing is currently available. Public proof-of-concept code is not yet available, but the vulnerability's nature makes it likely that one will be developed.
Exploit-Status
EPSS
0.09% (25% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade to version 2.63.1 or later. If upgrading immediately is not possible, consider implementing temporary workarounds. Restrict access to the proxy authentication endpoint to trusted sources only. Implement strict input validation on all user-supplied data to prevent command injection. Monitor filebrowser logs for suspicious activity, particularly related to user creation and privilege escalation. After upgrading, confirm the fix by attempting to create a user via proxy authentication and verifying that the user does not have execute permissions.
Actualice a la versión 2.63.1 o superior para mitigar la vulnerabilidad. Esta versión corrige el problema al asegurar que los usuarios auto-creados a través de la autenticación por proxy no hereden permisos de ejecución.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-35607 is a Remote Code Execution vulnerability in Filebrowser v2 where automatically created proxy users are granted execute permissions, allowing attackers to run commands.
You are affected if you are running Filebrowser v2 prior to version 2.63.1 and utilize the proxy authentication feature.
Upgrade Filebrowser to version 2.63.1 or later. As a temporary workaround, restrict permissions for automatically provisioned users.
There are currently no reports of active exploitation, but the vulnerability's nature suggests it could be targeted once a public proof-of-concept is available.
Refer to the Filebrowser GitHub repository for updates and advisories: https://github.com/filebrowser/filebrowser/security/advisories
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.