CVE-2026-34528
Published: 01 April 2026
Summary
CVE-2026-34528 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation of the specific flaw in signupHandler permission stripping, as patched in version 2.62.2.
Enforces least privilege principle, preventing self-registered users from inheriting unnecessary Execute permission and Commands list from the default template.
Manages account lifecycle including self-registration via signup, ensuring new accounts are provisioned without excessive shell execution privileges.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated attackers to exploit a public-facing web application (File Browser) via signup to gain arbitrary shell command execution on the server.
NVD Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the signupHandler in File Browser applies default user permissions via d.settings.Defaults.Apply(user), then strips only Admin. The Execute…
more
permission and Commands list from the default user template are not stripped. When an administrator has enabled signup, server-side execution, and set Execute=true in the default user template, any unauthenticated user who self-registers inherits shell execution capabilities and can run arbitrary commands on the server. This issue has been patched in version 2.62.2.
Deeper analysisAI
CVE-2026-34528 is a vulnerability in File Browser, an open-source file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. It affects versions prior to 2.62.2 and stems from improper handling of user permissions in the signupHandler function. Specifically, the handler applies default user permissions from the template via d.settings.Defaults.Apply(user) but strips only the Admin permission, failing to remove the Execute permission and Commands list.
Unauthenticated attackers can exploit this if an administrator has enabled signup, server-side execution, and Execute=true in the default user template. By self-registering, the attacker inherits shell execution capabilities, enabling arbitrary command execution on the server. The CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates network accessibility without privileges, high impacts on confidentiality, integrity, and availability, but requires high attack complexity due to the prerequisite configurations.
The vulnerability has been patched in File Browser version 2.62.2. Security practitioners should upgrade to this version immediately. Additional details are available in the GitHub release notes at https://github.com/filebrowser/filebrowser/releases/tag/v2.62.2 and the GitHub Security Advisory at https://github.com/filebrowser/filebrowser/security/advisories/GHSA-x8jc-jvqm-pm3f.
Details
- CWE(s)