CVE-2026-32758 Overview
CVE-2026-32758 is a Path Traversal vulnerability affecting File Browser, a web-based file management interface used for uploading, deleting, previewing, renaming, and editing files within a specified directory. The vulnerability exists in the resourcePatchHandler function within http/resource.go, where improper path validation allows authenticated users to bypass administrator-configured deny rules.
The core issue stems from a timing flaw in path validation: the destination path is validated against access rules before being cleaned/normalized, while the actual file operation calls path.Clean() afterward. This discrepancy allows .. sequences to resolve to different effective paths than what was originally validated, enabling bypass of both prefix-based and regex-based deny rules.
Critical Impact
Authenticated users with Create or Rename permissions can bypass administrator-configured access restrictions to write or move files into protected directories within their scope.
Affected Products
- File Browser versions 2.61.2 and below
- Any deployment using File Browser's deny rule functionality for access control
Discovery Timeline
- 2026-03-20 - CVE-2026-32758 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-32758
Vulnerability Analysis
This Path Traversal vulnerability exploits a Time-of-Check Time-of-Use (TOCTOU) race condition in how File Browser validates and processes file paths. The resourcePatchHandler function performs access control validation on the raw destination path parameter from PATCH requests before normalizing it. Subsequently, when the actual file operation executes, path.Clean() is called, which resolves .. sequences into their canonical form.
This order-of-operations flaw means an attacker can craft a destination path that appears legitimate during validation but resolves to a protected location when cleaned. For example, a path like /allowed/../denied/file.txt might pass deny rule checks for /denied/ but ultimately writes to that protected directory after normalization.
The vulnerability requires authentication and either Create or Rename permissions, limiting exploitation to authorized users. While this cannot be used to escape the user's BasePathFs scope or read from restricted paths, it effectively nullifies administrator-configured deny rules for write operations within the user's allowed scope.
Root Cause
The root cause is improper ordering of security controls in the path handling logic. The resourcePatchHandler validates paths against access rules using the unsanitized input, but the file system operations use the cleaned/normalized path. This violates the security principle that validation must occur on the final, canonical form of user input.
The fix in version 2.62.0 ensures that path normalization via path.Clean() occurs before access rule validation, ensuring that the validated path matches the path used for file operations.
Attack Vector
The attack requires an authenticated user with Create or Rename permissions to send a specially crafted PATCH request to the File Browser API. The destination parameter includes .. path traversal sequences designed to bypass configured deny rules.
The vulnerability is accessible over the network and requires low attack complexity, though prior authentication is mandatory. An attacker could leverage this to:
- Write malicious files (such as web shells or configuration files) to directories that should be protected
- Move sensitive files into exposed locations
- Overwrite critical files in protected directories
Since File Browser is commonly used to manage web server content, successful exploitation could lead to further compromise of the hosting environment.
Detection Methods for CVE-2026-32758
Indicators of Compromise
- PATCH requests to File Browser containing .. sequences in the destination parameter
- File operations in directories covered by deny rules that were not explicitly allowed
- Unexpected files appearing in protected directories
- Audit logs showing file moves or writes to restricted paths
Detection Strategies
- Monitor File Browser API logs for PATCH requests with path traversal patterns such as ../ or ..%2F
- Implement web application firewall rules to detect and block path traversal attempts
- Review file system integrity monitoring alerts for changes in protected directories
- Analyze authentication logs for users with Create/Rename permissions making suspicious requests
Monitoring Recommendations
- Enable detailed request logging on File Browser instances
- Configure file integrity monitoring (FIM) on directories protected by deny rules
- Set up alerts for failed access control violations that may indicate exploitation attempts
- Monitor for unauthorized file modifications in web-accessible directories
How to Mitigate CVE-2026-32758
Immediate Actions Required
- Upgrade File Browser to version 2.62.0 or later immediately
- Review audit logs for any suspicious PATCH requests containing path traversal patterns
- Verify integrity of files in directories protected by deny rules
- Consider temporarily restricting Create and Rename permissions until patching is complete
Patch Information
The vulnerability has been addressed in File Browser version 2.62.0. The fix ensures path normalization occurs before access rule validation, eliminating the TOCTOU condition. The patch is available in GitHub commit 4bd7d69c82163b201a987e99c0c50d7ecc6ee5f1.
For detailed information about the vulnerability and fix, refer to the GitHub Security Advisory GHSA-9f3r-2vgw-m8xp.
Workarounds
- Temporarily revoke Create and Rename permissions from untrusted users until patching
- Implement additional file system-level access controls as a defense-in-depth measure
- Deploy a reverse proxy or WAF with path traversal detection rules in front of File Browser
- Use network segmentation to limit access to File Browser instances
# Example: Upgrade File Browser to patched version
# Stop the current File Browser service
sudo systemctl stop filebrowser
# Download the latest release (v2.62.0 or newer)
curl -fsSL https://github.com/filebrowser/filebrowser/releases/download/v2.62.0/linux-amd64-filebrowser.tar.gz -o filebrowser.tar.gz
# Extract and install
tar -xzf filebrowser.tar.gz
sudo mv filebrowser /usr/local/bin/
# Restart the service
sudo systemctl start filebrowser
# Verify the version
filebrowser version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
