Platform
go
Component
github.com/filebrowser/filebrowser/v2
Fixed in
2.62.1
2.62.0
CVE-2026-32758 is a Path Traversal vulnerability discovered in filebrowser/filebrowser v2. This flaw allows authenticated users with Create or Rename permissions to bypass administrator-configured deny rules, potentially leading to unauthorized file access. The vulnerability exists because the path validation occurs before the path is cleaned, allowing manipulation via .. sequences. Affected versions are those prior to 2.62.0, and a patch is available in version 2.62.0.
CVE-2026-32758 in Filebrowser allows an attacker to bypass configured access rules. The resourcePatchHandler in http/resource.go validates the destination path against access rules before the path is cleaned/normalized. However, the path cleaning process, via path.Clean(), resolves .. sequences, resulting in a different effective path than the one initially validated. This means an attacker can manipulate the path to access files or directories that would normally be out of their reach, compromising system security. The CVSS severity is 6.5, indicating a moderate risk. Version 2.62.0 addresses this vulnerability.
An attacker could exploit this vulnerability by sending a resource patch request with a manipulated destination path containing .. sequences. Initial path validation might allow the request, but subsequent path cleaning would resolve the .. sequences, allowing the attacker to access a file or directory outside the intended directory. This could result in the reading, modification, or deletion of sensitive files, or even the execution of malicious code on the server. The complexity of exploitation is relatively low, requiring only the submission of a malicious request.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to update Filebrowser to version 2.62.0 or later. This version fixes the vulnerability by ensuring path validation occurs after path cleaning, preventing manipulation through .. sequences. As an additional measure, review and strengthen configured access rules in Filebrowser to minimize the attack surface. Monitoring system logs for suspicious activity can also help detect and respond to potential exploitation attempts. Consider using a firewall to limit access to Filebrowser from untrusted sources.
Update File Browser to version 2.62.0 or higher. This version fixes the path traversal vulnerability that allows bypassing administrator-configured access rules. The update will prevent authenticated users with create or rename permissions from writing or moving files to protected paths.
Vulnerability analysis and critical alerts directly to your inbox.
Filebrowser is an open-source web file browser for accessing files on a server.
Verify the version of Filebrowser you are using. If it's prior to 2.62.0, you are vulnerable.
CVSS 6.5 indicates a moderate risk. It means the vulnerability could be exploited relatively easily and could have a significant impact on the confidentiality, integrity, or availability of the system.
If you cannot update immediately, consider restricting access to Filebrowser to trusted users and monitoring system logs for suspicious activity.
You can find more information about this vulnerability in vulnerability databases such as NIST NVD.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.