Scanner gratuitement

Cette page n'a pas encore été traduite dans votre langue. Affichage du contenu en anglais pendant que nous y travaillons.

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

CRITICALCVE-2026-32760CVSS 9.5

CVE-2026-32760: Admin Account Creation in Filebrowser v2

Plateforme

go

Composant

github.com/filebrowser/filebrowser/v2

Corrigé dans

2.62.0

Voir sur NVD
Sauvegarder
Traduction vers votre langue…

CVE-2026-32760 is a critical vulnerability affecting Filebrowser v2, allowing unauthenticated users to register as full administrators. This occurs when self-registration is enabled (signup = true) and the default user permissions grant administrative privileges. The vulnerability impacts versions prior to 2.62.0 and can be resolved by upgrading to the patched version.

Go

Détecte cette CVE dans ton projet

Téléverse ton fichier go.mod et nous te dirons instantanément si tu es affecté.

Téléverser go.mod

Impact et Scénarios d'Attaquetraduction en cours…

Successful exploitation of CVE-2026-32760 grants an attacker complete administrative control over the Filebrowser instance. This includes the ability to access, modify, delete, and download all files stored within the system. An attacker could also create new users with elevated privileges, potentially establishing persistent access. The blast radius extends to any data stored and managed by Filebrowser, making this a high-impact vulnerability. The ease of exploitation, requiring only a web browser and enabled self-registration, significantly increases the risk of widespread compromise.

Contexte d'Exploitationtraduction en cours…

CVE-2026-32760 is currently not listed on KEV or EPSS, indicating a low to medium probability of active exploitation. Public proof-of-concept (POC) code is likely to emerge given the vulnerability's simplicity. The vulnerability was published on 2026-03-16, and it is recommended to monitor security advisories and threat intelligence feeds for any signs of exploitation. This vulnerability shares similarities with other privilege escalation flaws where default configurations inadvertently grant excessive permissions.

Renseignement sur les Menaces

Statut de l'Exploit

Preuve de ConceptInconnu
CISA KEVNO
Rapports1 rapport de menace

EPSS

0.02% (percentile 4%)

CISA SSVC

Exploitationpoc
Automatisableyes
Impact Techniquetotal

Classification de Faiblesse (CWE)

CWE-269CWE-284

Chronologie

  1. Réservé
  2. Publiée
  3. Modifiée
  4. EPSS mis à jour

Mitigation et Contournementstraduction en cours…

The primary mitigation for CVE-2026-32760 is to upgrade Filebrowser to version 2.62.0 or later, which includes the fix. If immediate upgrading is not possible, disable self-registration (set signup = false in the Filebrowser configuration). As a temporary workaround, review and restrict default user permissions to prevent the automatic granting of administrative privileges during registration. Monitor Filebrowser logs for suspicious user registration attempts, particularly those with unusual usernames. After upgrading, confirm the fix by attempting to register a new user with self-registration enabled and verifying that the new user does not receive administrative privileges.

Comment corrigertraduction en cours…

Actualice File Browser a la versión 2.62.0 o superior. Esta versión corrige la vulnerabilidad que permite a usuarios no autenticados registrarse como administradores si la auto-registración está habilitada y los permisos por defecto incluyen privilegios de administrador. Desactive la auto-registración si no es necesaria.

Questions fréquentestraduction en cours…

What is CVE-2026-32760 — Admin Account Creation in Filebrowser v2?

CVE-2026-32760 is a critical vulnerability in Filebrowser v2 that allows unauthenticated users to register as administrators if self-registration is enabled and default permissions grant admin rights. This grants full control over the system.

Am I affected by CVE-2026-32760 in Filebrowser v2?

You are affected if you are running Filebrowser v2 prior to 2.62.0 and have self-registration enabled (signup = true) with default user permissions granting administrative privileges.

How do I fix CVE-2026-32760 in Filebrowser v2?

Upgrade Filebrowser to version 2.62.0 or later. As a temporary workaround, disable self-registration (signup = false) or restrict default user permissions.

Is CVE-2026-32760 being actively exploited?

While not currently listed on KEV or EPSS, the vulnerability's simplicity suggests a potential for exploitation. Monitor security advisories and threat intelligence feeds.

Where can I find the official Filebrowser advisory for CVE-2026-32760?

Refer to the Filebrowser security advisory on their GitHub repository: [https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7w4r-375r-6x4r](https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7w4r-375r-6x4r)

Ton projet est-il affecté ?

Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.

Scanner gratuitementRechercher des CVE
Go

Détecte cette CVE dans ton projet

Téléverse ton fichier go.mod et nous te dirons instantanément si tu es affecté.

Téléverser go.mod
en directfree scan

Scannez votre projet Go maintenant — sans compte

Téléchargez votre go.mod et obtenez le rapport de vulnérabilité instantanément. Pas de compte. Le téléchargement du fichier n'est qu'un début : avec un compte, vous bénéficiez d'une surveillance continue, d'alertes Slack/e-mail, de rapports multi-projets et en marque blanche.

Scan manuelSlack/email alertsContinuous monitoringWhite-label reports

Glissez-déposez votre fichier de dépendances

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...