Cyber Resilience

CVE-2026-32760

CriticalPublic PoC

Published: 20 March 2026

Published
20 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0068 47.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-32760 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-32760 is an improper privilege management vulnerability (CWE-269, CWE-284) in File Browser, a web-based file managing interface for uploading, deleting, previewing, renaming, and editing files in a specified directory. It affects versions 2.61.2 and below, where the self-registration feature (signup = true) combined with default user permissions set to perm.admin = true allows any unauthenticated visitor to create a full administrator account. The signup handler applies all default settings, including admin privileges, to new users without server-side validation to strip admin access, contrary to its intended purpose of creating unprivileged accounts.

Any unauthenticated attacker with network access can exploit this by accessing the public registration endpoint and signing up for an account, instantly gaining full administrator privileges. This provides complete control over all files, user management, and server settings within the File Browser instance, enabling arbitrary file manipulation, user deletion or modification, and configuration changes. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with no prerequisites beyond the misconfiguration.

The issue was addressed in File Browser version 2.62.0, as detailed in the project's security advisory (GHSA-5gg9-5g7w-hm73), release notes, and the fixing commit (a63573b67eb302167b4c4f218361a2d0c138deab). Administrators should upgrade to v2.62.0 or later and review configurations to disable self-registration or set default permissions to exclude admin access.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, any unauthenticated visitor can register a full administrator account when self-registration (signup = true) is enabled…

more

and the default user permissions have perm.admin = true. The signup handler blindly applies all default settings (including Perm.Admin) to the new user without any server-side guard that strips admin from self-registered accounts. The signupHandler is supposed to create unprivileged accounts for new visitors. It contains no explicit user.Perm.Admin = false reset after applying defaults. If an administrator (intentionally or accidentally) configures defaults.perm.admin = true and also enables signup, every account created via the public registration endpoint is an administrator with full control over all files, users, and server settings. This issue has been resolved in version 2.62.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CVE directly enables remote unauthenticated admin account creation via the public signup endpoint of a web-based file manager (T1190: Exploit Public-Facing Application) and results in immediate privilege escalation to full admin rights due to missing server-side permission validation (T1068: Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35607Same product: Filebrowser Filebrowser
CVE-2026-34528Same product: Filebrowser Filebrowser
CVE-2026-35605Same product: Filebrowser Filebrowser
CVE-2026-35604Same product: Filebrowser Filebrowser
CVE-2025-64523Same product: Filebrowser Filebrowser
CVE-2026-30933Same product: Filebrowser Filebrowser
CVE-2025-53826Same product: Filebrowser Filebrowser
CVE-2026-29188Same product: Filebrowser Filebrowser
CVE-2026-35585Same product: Filebrowser Filebrowser
CVE-2026-32759Same product: Filebrowser Filebrowser

Affected Assets

filebrowser
filebrowser
≤ 2.62.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces least privilege by ensuring self-registered accounts are not assigned administrative permissions, directly preventing the improper privilege escalation described in the CVE.

prevent

Requires management of account creation and privilege assignment processes to block unauthenticated self-registration from granting full admin access.

prevent

Mandates secure configuration settings, such as disabling self-registration or configuring default permissions without admin rights, to mitigate the misconfiguration enabling the vulnerability.

References