{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35607", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T21:25:12.163Z", "datePublished": "2026-04-07T16:31:21.522Z", "dateUpdated": "2026-04-08T18:50:24.867Z"}, "containers": {"cna": {"title": "File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7526-j432-6ppp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7526-j432-6ppp"}, {"name": "https://github.com/filebrowser/filebrowser/pull/5890", "tags": ["x_refsource_MISC"], "url": "https://github.com/filebrowser/filebrowser/pull/5890"}], "affected": [{"vendor": "filebrowser", "product": "filebrowser", "versions": [{"version": "< 2.63.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T16:31:21.522Z"}, "descriptions": [{"lang": "en", "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the fix in commit b6a4fb1 (\"self-registered users don't get execute perms\") stripped Execute permission and Commands from users created via the signup handler. The same fix was not applied to the proxy auth handler. Users auto-created on first successful proxy-auth login are granted execution capabilities from global defaults, even though the signup path was explicitly changed to prevent execution rights from being inherited by automatically provisioned accounts. This vulnerability is fixed in 2.63.1."}], "source": {"advisory": "GHSA-7526-j432-6ppp", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7526-j432-6ppp", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T18:50:21.093218Z", "id": "CVE-2026-35607", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:50:24.867Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35607", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T18:50:21.093218Z"}}}], "references": [{"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7526-j432-6ppp", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:50:15.519Z"}}], "cna": {"title": "File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands", "source": {"advisory": "GHSA-7526-j432-6ppp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "filebrowser", "product": "filebrowser", "versions": [{"status": "affected", "version": "< 2.63.1"}]}], "references": [{"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7526-j432-6ppp", "name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7526-j432-6ppp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/filebrowser/filebrowser/pull/5890", "name": "https://github.com/filebrowser/filebrowser/pull/5890", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the fix in commit b6a4fb1 (\"self-registered users don't get execute perms\") stripped Execute permission and Commands from users created via the signup handler. The same fix was not applied to the proxy auth handler. Users auto-created on first successful proxy-auth login are granted execution capabilities from global defaults, even though the signup path was explicitly changed to prevent execution rights from being inherited by automatically provisioned accounts. This vulnerability is fixed in 2.63.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T16:31:21.522Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35607", "state": "PUBLISHED", "dateUpdated": "2026-04-08T18:50:24.867Z", "dateReserved": "2026-04-03T21:25:12.163Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T16:31:21.522Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the fix in commit b6a4fb1 (\"self-registered users don't get execute perms\") stripped Execute permission and Commands from users created via the signup handler. The same fix was not applied to the proxy auth handler. Users auto-created on first successful proxy-auth login are granted execution capabilities from global defaults, even though the signup path was explicitly changed to prevent execution rights from being inherited by automatically provisioned accounts. This vulnerability is fixed in 2.63.1."}], "id": "CVE-2026-35607", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T17:16:34.890", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/filebrowser/filebrowser/pull/5890"}, {"source": "security-advisories@github.com", "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7526-j432-6ppp"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7526-j432-6ppp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.63.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "filebrowser", "source": "cna", "vendor": "filebrowser"}, "product": "filebrowser", "vendor": "filebrowser"}], "analysis": {"en": {"generated_at": "2026-04-07T23:20:00.483010+00:00", "value": {"mitigation_remediation": ["Upgrade File Browser to version 2.63.1 or newer."], "summary": {"action": "Immediate Patch", "impact": "Execution privilege escalation via auto\u2011provisioned proxy authentication"}, "threat_synthesis": {"affected_systems": "All deployments of File Browser running a version earlier than 2.63.1 are vulnerable, regardless of the specific installation method. The issue originates in the proxy authentication code path and affects automatically created user accounts. It does not affect pre\u2011existing accounts that were created through standard signup, nor versions 2.63.1 and newer.", "description_and_impact": "File Browser allows automated user creation through its proxy authentication handler. A regression in versions before 2.63.1 caused these auto\u2011provisioned accounts to receive execute permissions and command capabilities from global defaults, even though the signup route was corrected to remove such rights. This enables a malicious actor who can trigger a proxy\u2011auth login for a new user to gain the ability to run arbitrary commands on the server. The weakness is classified as an Improper Authorization issue (CWE\u2011269).", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity. EPSS information is unavailable, so the exact likelihood of exploitation cannot be quantified, but the vulnerability exists in a publicly accessible web interface and can be triggered by any proxy\u2011authenticated user. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog, suggesting there are no confirmed, widespread attacks yet. Nevertheless, an attacker who can influence the proxy authentication flow could instantiate a privileged account and potentially execute code on the host."}}}}, "created": "2026-04-08T19:36:50.365233+00:00", "updated": "2026-04-08T19:47:53.566503+00:00", "vendors": ["filebrowser", "filebrowser$PRODUCT$filebrowser"]}