CVE-2026-29188 Overview
CVE-2026-29188 is a broken access control vulnerability affecting File Browser, a web-based file management interface that enables users to upload, delete, preview, rename, and edit files within a specified directory. The vulnerability exists in the TUS (resumable upload) protocol DELETE endpoint, where the permission check incorrectly validates the Create permission instead of the required Delete permission, allowing authenticated users to bypass intended access restrictions.
Critical Impact
Authenticated users with only Create permission can delete arbitrary files and directories within their scope, completely bypassing the intended Delete permission restriction. This poses significant risk to multi-user deployments where administrators explicitly restrict file deletion capabilities.
Affected Products
- File Browser versions prior to 2.61.1
- Multi-user deployments with explicit deletion restrictions
- Environments using TUS protocol for file management
Discovery Timeline
- 2026-03-05 - CVE CVE-2026-29188 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-29188
Vulnerability Analysis
This vulnerability is classified under CWE-284 (Improper Access Control). The flaw allows authenticated users to perform unauthorized file deletion operations through the TUS protocol endpoint. The impact is significant because it enables complete bypass of the permission model that administrators rely on to restrict user capabilities.
In multi-user environments where certain users are intentionally prevented from deleting files, this vulnerability undermines the entire permission structure. An attacker with only file creation permissions can delete critical files or directories, potentially causing data loss, service disruption, or enabling further attacks by removing security controls or audit logs.
Root Cause
The root cause is a simple but critical coding error in the TUS DELETE handler within http/tus_handlers.go. The function tusDeleteHandler incorrectly checks d.user.Perm.Create instead of d.user.Perm.Delete when validating whether a user has permission to delete files through the TUS endpoint. This means any user with Create permission automatically gains unauthorized Delete capability on this specific endpoint, despite potentially being explicitly denied Delete permission in the user configuration.
Attack Vector
The attack vector is network-based and requires authentication. An attacker must have valid credentials to the File Browser instance and possess at least Create permission. The attack flow involves:
- Authenticating to the File Browser instance with valid credentials
- Sending a DELETE request to the TUS protocol endpoint
- The server incorrectly validates Create permission instead of Delete permission
- The deletion operation succeeds despite the user lacking Delete permission
The vulnerability is exploitable with low complexity and requires no user interaction, making it particularly dangerous in environments with untrusted or semi-trusted users.
// Vulnerable vs Patched Code - http/tus_handlers.go
// Source: https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f
func tusDeleteHandler(cache UploadCache) handleFunc {
return withUser(func(_ http.ResponseWriter, r *http.Request, d *data) (int, error) {
- if r.URL.Path == "/" || !d.user.Perm.Create {
+ if r.URL.Path == "/" || !d.user.Perm.Delete {
return http.StatusForbidden, nil
}
Source: GitHub Commit Change
Detection Methods for CVE-2026-29188
Indicators of Compromise
- Unexpected file or directory deletions in File Browser managed directories
- DELETE requests to TUS endpoints (/api/tus/) from users without Delete permission
- Audit log entries showing deletion operations by users configured with Create-only permissions
- Missing files or directories that should be protected from deletion
Detection Strategies
- Review File Browser access logs for DELETE requests to TUS protocol endpoints
- Cross-reference deletion activities with user permission configurations to identify unauthorized operations
- Monitor for users with Create-but-not-Delete permissions performing any deletion operations
- Implement alerting on file system changes in protected directories
Monitoring Recommendations
- Enable verbose logging in File Browser to capture all TUS endpoint interactions
- Set up file integrity monitoring on directories managed by File Browser
- Create alerts for DELETE operations by users in restricted permission groups
- Regularly audit user permissions and correlate with activity logs
How to Mitigate CVE-2026-29188
Immediate Actions Required
- Upgrade File Browser to version 2.61.1 or later immediately
- Audit recent file deletions to identify any unauthorized operations
- Review user permissions and identify accounts with Create-but-not-Delete configurations
- Consider temporarily disabling TUS endpoints if immediate patching is not possible
Patch Information
The vulnerability has been patched in File Browser version 2.61.1. The fix corrects the permission check in the tusDeleteHandler function to properly validate d.user.Perm.Delete instead of d.user.Perm.Create. Administrators should upgrade to this version immediately to resolve the vulnerability.
For detailed patch information, see the GitHub Security Advisory GHSA-79pf-vx4x-7jmm and the patched release v2.61.1.
Workarounds
- Temporarily revoke Create permissions from users who should not have Delete access until patching is complete
- Place a reverse proxy in front of File Browser to block DELETE requests to TUS endpoints
- Implement file system-level protections on critical directories to prevent deletion regardless of application permissions
- Consider using immutable backup snapshots of critical data
# Example: Block TUS DELETE requests via nginx reverse proxy
location /api/tus/ {
if ($request_method = DELETE) {
return 403;
}
proxy_pass http://filebrowser:8080;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
