Platform
go
Component
github.com/filebrowser/filebrowser/v2
Fixed in
2.62.3
2.62.2
CVE-2026-34528 is a remote code execution (RCE) vulnerability affecting File Browser v2. This flaw allows unauthenticated users to potentially execute arbitrary commands on the server if signup is enabled and the default user template is configured with Execute=true. The vulnerability was published on March 31, 2026, and a fix is available in version 2.62.2.
An attacker exploiting this vulnerability could achieve remote code execution on the File Browser server. This means they could potentially gain full control of the system, including access to sensitive data, modification of files, and installation of malware. The blast radius extends to any data stored and managed by File Browser, and could lead to complete system compromise. This vulnerability is particularly concerning because it requires no authentication, making it easily exploitable by anyone with network access to the File Browser instance.
The vulnerability's public disclosure date (March 31, 2026) suggests it is relatively new. Exploitation context is currently pending evaluation, but the ease of exploitation (no authentication required) and the potential for severe impact suggest a medium to high probability of exploitation. No public Proof-of-Concept (POC) exploits have been widely reported as of this writing, but the vulnerability's simplicity makes it likely that POCs will emerge.
Exploit Status
EPSS
0.18% (39% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade File Browser to version 2.62.2 or later, which contains the fix. If upgrading immediately is not possible, consider disabling user signup functionality as a temporary workaround. Additionally, review the default user template settings and ensure that Execute is set to false. Implement a Web Application Firewall (WAF) rule to block requests targeting the /signup endpoint with suspicious parameters. Monitor File Browser logs for unusual activity, particularly failed signup attempts or unexpected command executions.
Update File Browser to version 2.62.2 or later. This version fixes the vulnerability that allows unauthenticated users to execute arbitrary commands on the server if signup is enabled and execution is permitted in the default user template.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34528 is a remote code execution vulnerability in File Browser v2. It allows unauthenticated users to execute commands if signup is enabled and the default user template has 'Execute=true'. This poses a significant security risk.
You are affected if you are running File Browser v2 prior to version 2.62.2 and have user signup enabled, especially if the default user template has 'Execute=true' set. Check your version and configuration immediately.
Upgrade File Browser to version 2.62.2 or later. As a temporary workaround, disable user signup or set 'Execute=false' in the default user template. Prioritize upgrading for the best protection.
While no widespread exploitation has been publicly reported yet, the vulnerability's ease of exploitation suggests a potential for active exploitation. Monitor your systems and apply the fix promptly.
Refer to the official File Browser GitHub repository and security advisories for the most up-to-date information and announcements regarding CVE-2026-34528: https://github.com/filebrowser/filebrowser/security/advisories
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.