Platform
go
Component
github.com/filebrowser/filebrowser/v2
Fixed in
2.63.2
2.63.1
CVE-2026-35607 is a Remote Code Execution (RCE) vulnerability affecting Filebrowser v2. This flaw allows attackers to execute arbitrary commands on the server if they can successfully authenticate via the proxy authentication handler and are automatically provisioned as a user. The vulnerability impacts versions prior to 2.63.1 and has been addressed in that release.
An attacker exploiting this vulnerability can gain complete control over the Filebrowser server. By leveraging the proxy authentication mechanism, an attacker can trigger the creation of a new user account and, due to a flaw in the user creation process, be granted execute permissions. This allows them to execute arbitrary commands with the privileges of the Filebrowser process, potentially leading to data exfiltration, system compromise, or complete server takeover. The blast radius extends to any data stored and managed by Filebrowser, including sensitive files and user information.
This vulnerability was published on 2026-04-08. The exploitability is considered medium due to the requirement of successful proxy authentication. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's nature suggests it could be exploited relatively easily once a POC is developed. The vulnerability is not currently listed on KEV or EPSS, but its RCE nature warrants close monitoring.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade Filebrowser to version 2.63.1 or later, which includes the fix for this issue. If upgrading immediately is not possible, consider implementing stricter access controls for proxy authentication. Review and restrict the permissions granted to automatically provisioned users. Monitor Filebrowser logs for suspicious activity related to user creation and authentication. While not a direct fix, implementing a Web Application Firewall (WAF) with rules to detect and block malicious command execution attempts can provide an additional layer of defense.
Update to version 2.63.1 or higher to mitigate the vulnerability. This version fixes the issue by ensuring that users auto-created through proxy authentication do not inherit execution permissions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35607 is a Remote Code Execution vulnerability in Filebrowser v2 where automatically created proxy users are granted execute permissions, allowing attackers to run commands.
You are affected if you are running Filebrowser v2 prior to version 2.63.1 and utilize the proxy authentication feature.
Upgrade Filebrowser to version 2.63.1 or later. As a temporary workaround, restrict permissions for automatically provisioned users.
There are currently no reports of active exploitation, but the vulnerability's nature suggests it could be targeted once a public proof-of-concept is available.
Refer to the Filebrowser GitHub repository for updates and advisories: https://github.com/filebrowser/filebrowser/security/advisories
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.