Plateforme
go
Composant
github.com/filebrowser/filebrowser/v2
Corrigé dans
2.62.1
2.62.0
CVE-2026-32758 is a Path Traversal vulnerability discovered in filebrowser/filebrowser v2. This flaw allows authenticated users with Create or Rename permissions to bypass administrator-configured deny rules, potentially leading to unauthorized file access. The vulnerability exists because the path validation occurs before the path is cleaned, allowing manipulation via .. sequences. Affected versions are those prior to 2.62.0, and a patch is available in version 2.62.0.
CVE-2026-32758 in Filebrowser allows an attacker to bypass configured access rules. The resourcePatchHandler in http/resource.go validates the destination path against access rules before the path is cleaned/normalized. However, the path cleaning process, via path.Clean(), resolves .. sequences, resulting in a different effective path than the one initially validated. This means an attacker can manipulate the path to access files or directories that would normally be out of their reach, compromising system security. The CVSS severity is 6.5, indicating a moderate risk. Version 2.62.0 addresses this vulnerability.
An attacker could exploit this vulnerability by sending a resource patch request with a manipulated destination path containing .. sequences. Initial path validation might allow the request, but subsequent path cleaning would resolve the .. sequences, allowing the attacker to access a file or directory outside the intended directory. This could result in the reading, modification, or deletion of sensitive files, or even the execution of malicious code on the server. The complexity of exploitation is relatively low, requiring only the submission of a malicious request.
Statut de l'Exploit
EPSS
0.01% (percentile 3%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to update Filebrowser to version 2.62.0 or later. This version fixes the vulnerability by ensuring path validation occurs after path cleaning, preventing manipulation through .. sequences. As an additional measure, review and strengthen configured access rules in Filebrowser to minimize the attack surface. Monitoring system logs for suspicious activity can also help detect and respond to potential exploitation attempts. Consider using a firewall to limit access to Filebrowser from untrusted sources.
Actualice File Browser a la versión 2.62.0 o superior. Esta versión corrige la vulnerabilidad de path traversal que permite eludir las reglas de acceso configuradas por el administrador. La actualización evitará que usuarios autenticados con permisos de creación o renombrado puedan escribir o mover archivos a rutas protegidas.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Filebrowser is an open-source web file browser for accessing files on a server.
Verify the version of Filebrowser you are using. If it's prior to 2.62.0, you are vulnerable.
CVSS 6.5 indicates a moderate risk. It means the vulnerability could be exploited relatively easily and could have a significant impact on the confidentiality, integrity, or availability of the system.
If you cannot update immediately, consider restricting access to Filebrowser to trusted users and monitoring system logs for suspicious activity.
You can find more information about this vulnerability in vulnerability databases such as NIST NVD.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier go.mod et nous te dirons instantanément si tu es affecté.