CVE-2026-35607
Published: 07 April 2026
Summary
CVE-2026-35607 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-2 requires proper management of account creation and privilege assignment, directly preventing auto-provisioned proxy auth users in File Browser from inheriting excessive execution capabilities from global defaults.
AC-6 enforces the least privilege principle, ensuring that users auto-created via the proxy auth handler do not receive unnecessary execution permissions.
SI-2 mandates timely flaw remediation, such as upgrading File Browser to version 2.63.1, which fixes the proxy auth handler to strip execution privileges from auto-created accounts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote unauthenticated exploit in a public-facing web application (File Browser) that creates accounts with execution privileges, directly enabling T1190 (Exploit Public-Facing Application) for initial access and facilitating T1059 (Command and Scripting Interpreter) due to the granted execution capabilities leading to high C/I/A impact.
NVD Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the fix in commit b6a4fb1 ("self-registered users don't get execute perms") stripped Execute permission and Commands from users…
more
created via the signup handler. The same fix was not applied to the proxy auth handler. Users auto-created on first successful proxy-auth login are granted execution capabilities from global defaults, even though the signup path was explicitly changed to prevent execution rights from being inherited by automatically provisioned accounts. This vulnerability is fixed in 2.63.1.
Deeper analysisAI
CVE-2026-35607 is an improper privilege management vulnerability (CWE-269) in File Browser, an open-source file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions prior to 2.63.1 are affected. A prior fix in commit b6a4fb1 stripped Execute permission and Commands from users created via the signup handler, but this change was not applied to the proxy auth handler. As a result, users auto-created on first successful proxy-auth login inherit execution capabilities from global defaults.
The vulnerability can be exploited over the network by unauthenticated attackers (PR:N) with no user interaction (UI:N), though it requires high attack complexity (AC:H). A successful exploitation involves triggering the proxy auth handler to create a new user account, granting that account execution privileges. This enables high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U), as scored at 8.1 by CVSS v3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H.
The issue is addressed in File Browser version 2.63.1. Official mitigation guidance in GitHub security advisory GHSA-7526-j432-6ppp and pull request #5890 recommends upgrading to the fixed release to prevent auto-provisioned proxy auth users from inheriting execution rights.
Details
- CWE(s)