CVE-2026-32760
Published: 20 March 2026
Summary
CVE-2026-32760 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces least privilege by ensuring self-registered accounts are not assigned administrative permissions, directly preventing the improper privilege escalation described in the CVE.
Requires management of account creation and privilege assignment processes to block unauthenticated self-registration from granting full admin access.
Mandates secure configuration settings, such as disabling self-registration or configuring default permissions without admin rights, to mitigate the misconfiguration enabling the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE directly enables remote unauthenticated admin account creation via the public signup endpoint of a web-based file manager (T1190: Exploit Public-Facing Application) and results in immediate privilege escalation to full admin rights due to missing server-side permission validation (T1068: Exploitation for Privilege Escalation).
NVD Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, any unauthenticated visitor can register a full administrator account when self-registration (signup = true) is enabled…
more
and the default user permissions have perm.admin = true. The signup handler blindly applies all default settings (including Perm.Admin) to the new user without any server-side guard that strips admin from self-registered accounts. The signupHandler is supposed to create unprivileged accounts for new visitors. It contains no explicit user.Perm.Admin = false reset after applying defaults. If an administrator (intentionally or accidentally) configures defaults.perm.admin = true and also enables signup, every account created via the public registration endpoint is an administrator with full control over all files, users, and server settings. This issue has been resolved in version 2.62.0.
Deeper analysisAI
CVE-2026-32760 is an improper privilege management vulnerability (CWE-269, CWE-284) in File Browser, a web-based file managing interface for uploading, deleting, previewing, renaming, and editing files in a specified directory. It affects versions 2.61.2 and below, where the self-registration feature (signup = true) combined with default user permissions set to perm.admin = true allows any unauthenticated visitor to create a full administrator account. The signup handler applies all default settings, including admin privileges, to new users without server-side validation to strip admin access, contrary to its intended purpose of creating unprivileged accounts.
Any unauthenticated attacker with network access can exploit this by accessing the public registration endpoint and signing up for an account, instantly gaining full administrator privileges. This provides complete control over all files, user management, and server settings within the File Browser instance, enabling arbitrary file manipulation, user deletion or modification, and configuration changes. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with no prerequisites beyond the misconfiguration.
The issue was addressed in File Browser version 2.62.0, as detailed in the project's security advisory (GHSA-5gg9-5g7w-hm73), release notes, and the fixing commit (a63573b67eb302167b4c4f218361a2d0c138deab). Administrators should upgrade to v2.62.0 or later and review configurations to disable self-registration or set default permissions to exclude admin access.
Details
- CWE(s)