Cyber Resilience

CVE-2026-29188

CriticalPublic PoC

Published: 05 March 2026

Published
05 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0049 38.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-29188 is a critical-severity Improper Access Control (CWE-284) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 38.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-29188 is a broken access control vulnerability in File Browser, an open-source file managing interface that supports uploading, deleting, previewing, renaming, and editing files within a specified directory. Affecting versions prior to 2.61.1, the flaw exists in the TUS protocol DELETE endpoint, where it fails to enforce the intended Delete permission restriction. It impacts any multi-user deployment where administrators explicitly limit file deletion for certain users. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and is associated with CWE-284 (Improper Access Control) and CWE-732 (Incorrect Permission Assignment for Critical Resource).

An authenticated attacker with only Create permission can exploit this issue to delete arbitrary files and directories within their scope, bypassing the Delete permission check. This enables unauthorized data destruction in scoped environments, potentially leading to significant data loss for other users or shared resources in multi-tenant setups.

The vulnerability has been addressed in File Browser version 2.61.1. Security practitioners should upgrade to this patched release, as detailed in the GitHub security advisory (GHSA-79pf-vx4x-7jmm), the corresponding release notes, and the fixing commit (7ed1425115be602c2b23236c410098ea2d74b42f).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows…

more

authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Broken access control in DELETE endpoint directly enables unauthorized file/directory deletion, mapping to T1485 Data Destruction for impact in multi-user scopes.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-64523Same product: Filebrowser Filebrowser
CVE-2026-32760Same product: Filebrowser Filebrowser
CVE-2026-35605Same product: Filebrowser Filebrowser
CVE-2026-32759Same product: Filebrowser Filebrowser
CVE-2026-25890Same product: Filebrowser Filebrowser
CVE-2026-35607Same product: Filebrowser Filebrowser
CVE-2026-30933Same product: Filebrowser Filebrowser
CVE-2026-30934Same product: Filebrowser Filebrowser
CVE-2026-34529Same product: Filebrowser Filebrowser
CVE-2026-34528Same product: Filebrowser Filebrowser

Affected Assets

filebrowser
filebrowser
≤ 2.61.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations for access to system resources, mitigating the broken access control in the TUS DELETE endpoint that bypassed Delete permission checks.

prevent

Requires timely identification, reporting, and correction of system flaws like this improper access control vulnerability, addressed by patching to File Browser version 2.61.1.

prevent

Enforces least privilege by restricting users to only necessary permissions such as Create without Delete, reducing the attack surface even if enforcement partially fails.

References