Scan free
CRITICALCVE-2026-32760CVSS 9.5

CVE-2026-32760: Admin Account Creation in Filebrowser v2

Platform

go

Component

github.com/filebrowser/filebrowser/v2

Fixed in

2.62.0

View on NVD
Save

CVE-2026-32760 is a critical vulnerability affecting Filebrowser v2, allowing unauthenticated users to register as full administrators. This occurs when self-registration is enabled (signup = true) and the default user permissions grant administrative privileges. The vulnerability impacts versions prior to 2.62.0 and can be resolved by upgrading to the patched version.

Go

Detect this CVE in your project

Upload your go.mod file and we'll tell you instantly if you're affected.

Upload go.mod

Impact and Attack Scenarios

Successful exploitation of CVE-2026-32760 grants an attacker complete administrative control over the Filebrowser instance. This includes the ability to access, modify, delete, and download all files stored within the system. An attacker could also create new users with elevated privileges, potentially establishing persistent access. The blast radius extends to any data stored and managed by Filebrowser, making this a high-impact vulnerability. The ease of exploitation, requiring only a web browser and enabled self-registration, significantly increases the risk of widespread compromise.

Exploitation Context

CVE-2026-32760 is currently not listed on KEV or EPSS, indicating a low to medium probability of active exploitation. Public proof-of-concept (POC) code is likely to emerge given the vulnerability's simplicity. The vulnerability was published on 2026-03-16, and it is recommended to monitor security advisories and threat intelligence feeds for any signs of exploitation. This vulnerability shares similarities with other privilege escalation flaws where default configurations inadvertently grant excessive permissions.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Reports1 threat report

EPSS

0.02% (4% percentile)

CISA SSVC

Exploitationpoc
Automatableyes
Technical Impacttotal

Weakness Classification (CWE)

CWE-269CWE-284

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-32760 is to upgrade Filebrowser to version 2.62.0 or later, which includes the fix. If immediate upgrading is not possible, disable self-registration (set signup = false in the Filebrowser configuration). As a temporary workaround, review and restrict default user permissions to prevent the automatic granting of administrative privileges during registration. Monitor Filebrowser logs for suspicious user registration attempts, particularly those with unusual usernames. After upgrading, confirm the fix by attempting to register a new user with self-registration enabled and verifying that the new user does not receive administrative privileges.

How to fix

Actualice File Browser a la versión 2.62.0 o superior. Esta versión corrige la vulnerabilidad que permite a usuarios no autenticados registrarse como administradores si la auto-registración está habilitada y los permisos por defecto incluyen privilegios de administrador. Desactive la auto-registración si no es necesaria.

Frequently asked questions

What is CVE-2026-32760 — Admin Account Creation in Filebrowser v2?

CVE-2026-32760 is a critical vulnerability in Filebrowser v2 that allows unauthenticated users to register as administrators if self-registration is enabled and default permissions grant admin rights. This grants full control over the system.

Am I affected by CVE-2026-32760 in Filebrowser v2?

You are affected if you are running Filebrowser v2 prior to 2.62.0 and have self-registration enabled (signup = true) with default user permissions granting administrative privileges.

How do I fix CVE-2026-32760 in Filebrowser v2?

Upgrade Filebrowser to version 2.62.0 or later. As a temporary workaround, disable self-registration (signup = false) or restrict default user permissions.

Is CVE-2026-32760 being actively exploited?

While not currently listed on KEV or EPSS, the vulnerability's simplicity suggests a potential for exploitation. Monitor security advisories and threat intelligence feeds.

Where can I find the official Filebrowser advisory for CVE-2026-32760?

Refer to the Filebrowser security advisory on their GitHub repository: [https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7w4r-375r-6x4r](https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7w4r-375r-6x4r)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
Go

Detect this CVE in your project

Upload your go.mod file and we'll tell you instantly if you're affected.

Upload go.mod
livefree scan

Scan your Go project now — no account

Upload your go.mod and get the vulnerability report instantly. No account. Uploading the file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...