CVE-2026-29188
Published: 05 March 2026
Summary
CVE-2026-29188 is a critical-severity Improper Access Control (CWE-284) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces approved authorizations for access to system resources, mitigating the broken access control in the TUS DELETE endpoint that bypassed Delete permission checks.
Requires timely identification, reporting, and correction of system flaws like this improper access control vulnerability, addressed by patching to File Browser version 2.61.1.
Enforces least privilege by restricting users to only necessary permissions such as Create without Delete, reducing the attack surface even if enforcement partially fails.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Broken access control in DELETE endpoint directly enables unauthorized file/directory deletion, mapping to T1485 Data Destruction for impact in multi-user scopes.
NVD Description
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows…
more
authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1.
Deeper analysisAI
CVE-2026-29188 is a broken access control vulnerability in File Browser, an open-source file managing interface that supports uploading, deleting, previewing, renaming, and editing files within a specified directory. Affecting versions prior to 2.61.1, the flaw exists in the TUS protocol DELETE endpoint, where it fails to enforce the intended Delete permission restriction. It impacts any multi-user deployment where administrators explicitly limit file deletion for certain users. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and is associated with CWE-284 (Improper Access Control) and CWE-732 (Incorrect Permission Assignment for Critical Resource).
An authenticated attacker with only Create permission can exploit this issue to delete arbitrary files and directories within their scope, bypassing the Delete permission check. This enables unauthorized data destruction in scoped environments, potentially leading to significant data loss for other users or shared resources in multi-tenant setups.
The vulnerability has been addressed in File Browser version 2.61.1. Security practitioners should upgrade to this patched release, as detailed in the GitHub security advisory (GHSA-79pf-vx4x-7jmm), the corresponding release notes, and the fixing commit (7ed1425115be602c2b23236c410098ea2d74b42f).
Details
- CWE(s)