Cyber Resilience

CVE-2026-34528

HighPublic PoC

Published: 01 April 2026

Published
01 April 2026
Modified
06 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0065 46.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34528 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-34528 is a vulnerability in File Browser, an open-source file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. It affects versions prior to 2.62.2 and stems from improper handling of user permissions in the signupHandler function. Specifically, the handler applies default user permissions from the template via d.settings.Defaults.Apply(user) but strips only the Admin permission, failing to remove the Execute permission and Commands list.

Unauthenticated attackers can exploit this if an administrator has enabled signup, server-side execution, and Execute=true in the default user template. By self-registering, the attacker inherits shell execution capabilities, enabling arbitrary command execution on the server. The CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates network accessibility without privileges, high impacts on confidentiality, integrity, and availability, but requires high attack complexity due to the prerequisite configurations.

The vulnerability has been patched in File Browser version 2.62.2. Security practitioners should upgrade to this version immediately. Additional details are available in the GitHub release notes at https://github.com/filebrowser/filebrowser/releases/tag/v2.62.2 and the GitHub Security Advisory at https://github.com/filebrowser/filebrowser/security/advisories/GHSA-x8jc-jvqm-pm3f.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the signupHandler in File Browser applies default user permissions via d.settings.Defaults.Apply(user), then strips only Admin. The Execute…

more

permission and Commands list from the default user template are not stripped. When an administrator has enabled signup, server-side execution, and set Execute=true in the default user template, any unauthenticated user who self-registers inherits shell execution capabilities and can run arbitrary commands on the server. This issue has been patched in version 2.62.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The vulnerability allows unauthenticated attackers to exploit a public-facing web application (File Browser) via signup to gain arbitrary shell command execution on the server.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35607Same product: Filebrowser Filebrowser
CVE-2026-35585Same product: Filebrowser Filebrowser
CVE-2026-32760Same product: Filebrowser Filebrowser
CVE-2026-32759Same product: Filebrowser Filebrowser
CVE-2026-35605Same product: Filebrowser Filebrowser
CVE-2026-35604Same product: Filebrowser Filebrowser
CVE-2025-64523Same product: Filebrowser Filebrowser
CVE-2026-30933Same product: Filebrowser Filebrowser
CVE-2025-53826Same product: Filebrowser Filebrowser
CVE-2026-30934Same product: Filebrowser Filebrowser

Affected Assets

filebrowser
filebrowser
≤ 2.62.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely remediation of the specific flaw in signupHandler permission stripping, as patched in version 2.62.2.

prevent

Enforces least privilege principle, preventing self-registered users from inheriting unnecessary Execute permission and Commands list from the default template.

prevent

Manages account lifecycle including self-registration via signup, ensuring new accounts are provisioned without excessive shell execution privileges.

References