CVE-2026-32758

MEDIUM

File Browser <2.62.0 Copy/Rename Destination - Access Rule Bypass

Title source: manual

Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.2 and below are vulnerable to Path Traversal through the resourcePatchHandler (http/resource.go). The destination path in resourcePatchHandler is validated against access rules before being cleaned/normalized, while the actual file operation calls path.Clean() afterward—resolving .. sequences into a different effective path. This allows an authenticated user with Create or Rename permissions to bypass administrator-configured deny rules (both prefix-based and regex-based) by injecting .. sequences in the destination parameter of a PATCH request. As a result, the user can write or move files into any deny-rule-protected path within their scope. However, this cannot be used to escape the user's BasePathFs scope or read from restricted paths. This issue has been fixed in version 2.62.0.

References (3)

Core 3

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/filebrowser/filebrowser/security/advisories/GHSA-9f3r-2vgw-m8xp

X_Refsource_Misc x_refsource_misc

https://github.com/filebrowser/filebrowser/commit/4bd7d69c82163b201a987e99c0c50d7ecc6ee5f1

View Writeup ZIP pw:eip

X_Refsource_Misc x_refsource_misc

https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0

Scores

CVSS v3 6.5

EPSS 0.0039

EPSS Percentile 30.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-863 CWE-22

Status published

Products (2)

filebrowser/filebrowser < 2.62.0 (2 CPE variants)

filebrowser/filebrowser 0 - 2.62.0Go

Published Mar 20, 2026

Tracked Since Mar 20, 2026