Gratis scannen

Deze pagina is nog niet vertaald naar uw taal. We werken eraan — de inhoud wordt voorlopig in het Engels weergegeven.

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

CRITICALCVE-2026-32760CVSS 9.5

CVE-2026-32760: Admin Account Creation in Filebrowser v2

Platform

go

Component

github.com/filebrowser/filebrowser/v2

Opgelost in

2.62.0

Bekijk op NVD
Opslaan
Wordt vertaald naar uw taal…

CVE-2026-32760 is a critical vulnerability affecting Filebrowser v2, allowing unauthenticated users to register as full administrators. This occurs when self-registration is enabled (signup = true) and the default user permissions grant administrative privileges. The vulnerability impacts versions prior to 2.62.0 and can be resolved by upgrading to the patched version.

Go

Detecteer deze CVE in je project

Upload je go.mod-bestand en we vertellen je direct of je getroffen bent.

go.mod uploaden

Impact en Aanvalsscenarioswordt vertaald…

Successful exploitation of CVE-2026-32760 grants an attacker complete administrative control over the Filebrowser instance. This includes the ability to access, modify, delete, and download all files stored within the system. An attacker could also create new users with elevated privileges, potentially establishing persistent access. The blast radius extends to any data stored and managed by Filebrowser, making this a high-impact vulnerability. The ease of exploitation, requiring only a web browser and enabled self-registration, significantly increases the risk of widespread compromise.

Uitbuitingscontextwordt vertaald…

CVE-2026-32760 is currently not listed on KEV or EPSS, indicating a low to medium probability of active exploitation. Public proof-of-concept (POC) code is likely to emerge given the vulnerability's simplicity. The vulnerability was published on 2026-03-16, and it is recommended to monitor security advisories and threat intelligence feeds for any signs of exploitation. This vulnerability shares similarities with other privilege escalation flaws where default configurations inadvertently grant excessive permissions.

Dreigingsinformatie

Exploit Status

Proof of ConceptOnbekend
CISA KEVNO
Rapporten1 dreigingsrapport

EPSS

0.02% (4% percentiel)

CISA SSVC

Exploitatiepoc
Automatiseerbaaryes
Technische Impacttotal

Zwakheidsclassificatie (CWE)

CWE-269CWE-284

Tijdlijn

  1. Gereserveerd
  2. Gepubliceerd
  3. Gewijzigd
  4. EPSS bijgewerkt

Mitigatie en Workaroundswordt vertaald…

The primary mitigation for CVE-2026-32760 is to upgrade Filebrowser to version 2.62.0 or later, which includes the fix. If immediate upgrading is not possible, disable self-registration (set signup = false in the Filebrowser configuration). As a temporary workaround, review and restrict default user permissions to prevent the automatic granting of administrative privileges during registration. Monitor Filebrowser logs for suspicious user registration attempts, particularly those with unusual usernames. After upgrading, confirm the fix by attempting to register a new user with self-registration enabled and verifying that the new user does not receive administrative privileges.

Hoe te verhelpenwordt vertaald…

Actualice File Browser a la versión 2.62.0 o superior. Esta versión corrige la vulnerabilidad que permite a usuarios no autenticados registrarse como administradores si la auto-registración está habilitada y los permisos por defecto incluyen privilegios de administrador. Desactive la auto-registración si no es necesaria.

Veelgestelde vragenwordt vertaald…

What is CVE-2026-32760 — Admin Account Creation in Filebrowser v2?

CVE-2026-32760 is a critical vulnerability in Filebrowser v2 that allows unauthenticated users to register as administrators if self-registration is enabled and default permissions grant admin rights. This grants full control over the system.

Am I affected by CVE-2026-32760 in Filebrowser v2?

You are affected if you are running Filebrowser v2 prior to 2.62.0 and have self-registration enabled (signup = true) with default user permissions granting administrative privileges.

How do I fix CVE-2026-32760 in Filebrowser v2?

Upgrade Filebrowser to version 2.62.0 or later. As a temporary workaround, disable self-registration (signup = false) or restrict default user permissions.

Is CVE-2026-32760 being actively exploited?

While not currently listed on KEV or EPSS, the vulnerability's simplicity suggests a potential for exploitation. Monitor security advisories and threat intelligence feeds.

Where can I find the official Filebrowser advisory for CVE-2026-32760?

Refer to the Filebrowser security advisory on their GitHub repository: [https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7w4r-375r-6x4r](https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7w4r-375r-6x4r)

Is jouw project getroffen?

Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.

Gratis scannenCVEs zoeken
Go

Detecteer deze CVE in je project

Upload je go.mod-bestand en we vertellen je direct of je getroffen bent.

go.mod uploaden
livefree scan

Scan nu uw Go project — geen account

Upload your go.mod and get the vulnerability report instantly. No account. Uploading the file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsscanZone.capMonitorWhite-label reports

Sleep uw afhankelijkheidsbestand hierheen

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...