CVE-2026-35607 Overview
CVE-2026-35607 is a privilege escalation vulnerability in File Browser, a web-based file management interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.63.1, an inconsistency in permission handling between the signup handler and proxy authentication handler allows automatically provisioned users to inherit unintended execution capabilities from global defaults.
Critical Impact
Users auto-created through proxy authentication inherit Execute permissions and Commands capabilities from global defaults, bypassing security controls explicitly implemented for self-registered users. This could allow unauthorized command execution on the underlying system.
Affected Products
- File Browser versions prior to 2.63.1
- File Browser installations using proxy authentication for user provisioning
- Environments with global defaults that include Execute or Commands permissions
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-35607 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35607
Vulnerability Analysis
This vulnerability stems from an incomplete security fix (CWE-269: Improper Privilege Management) where permission restrictions were applied inconsistently across different user provisioning pathways. The original fix implemented in commit b6a4fb1 was designed to strip Execute permission and Commands from users created via the signup handler, preventing self-registered users from inheriting dangerous execution capabilities from global defaults.
However, the proxy authentication handler was not updated with the same security controls. When a user is automatically created upon their first successful proxy-auth login, they are granted execution capabilities from global defaults without the permission stripping that occurs in the signup pathway. This creates a privilege escalation vector where users provisioned through proxy authentication receive more permissions than intended.
The attack can be executed remotely over the network, though it requires high complexity as the attacker must leverage a proxy authentication mechanism that automatically provisions users. Once a user is created through this pathway with inherited execution permissions, they can execute arbitrary commands within the File Browser context.
Root Cause
The root cause is an incomplete application of a security fix across multiple code paths. While the signup handler was patched to strip Execute and Commands permissions from automatically created users, the proxy authentication handler continued to grant these permissions based on global defaults. This represents a failure to identify and update all relevant code paths when implementing security controls, leading to an inconsistent permission model between different user creation mechanisms.
Attack Vector
The attack requires network access to a File Browser instance configured with proxy authentication. An attacker who can authenticate through the proxy (either legitimately or through compromised credentials) will have a user account automatically provisioned with elevated Execute and Commands permissions. The vulnerability does not require prior authentication to File Browser itself, as the user creation occurs automatically during the first proxy-auth login.
The vulnerability mechanism involves the proxy authentication flow creating user accounts that inherit execution capabilities from global configuration settings. For technical implementation details, see the GitHub Security Advisory.
Detection Methods for CVE-2026-35607
Indicators of Compromise
- Newly created user accounts with Execute or Commands permissions that were provisioned through proxy authentication
- Unexpected command execution logs from user accounts created after proxy-auth login
- User accounts in File Browser with elevated privileges that do not match organizational provisioning policies
- Audit logs showing user creation events via proxy authentication followed by command execution activity
Detection Strategies
- Review File Browser user database for accounts with Execute permissions that were created via proxy authentication
- Monitor command execution logs for activity from automatically provisioned user accounts
- Compare permission levels between users created via signup versus proxy authentication to identify discrepancies
- Implement alerting for any command execution events from newly created user accounts
Monitoring Recommendations
- Enable and centralize File Browser audit logging to capture user creation events and permission assignments
- Monitor for command execution events, particularly from accounts created within a recent timeframe
- Implement periodic permission audits to identify users with elevated privileges created through proxy authentication
- Configure alerts for any Execute or Commands usage by accounts not explicitly granted these permissions
How to Mitigate CVE-2026-35607
Immediate Actions Required
- Upgrade File Browser to version 2.63.1 or later immediately
- Audit existing user accounts for unintended Execute or Commands permissions
- Review and restrict global default permissions to remove Execute and Commands capabilities
- Temporarily disable proxy authentication if immediate patching is not possible
Patch Information
The vulnerability is fixed in File Browser version 2.63.1. The patch ensures that users auto-created through proxy authentication have Execute permission and Commands stripped, consistent with the security controls already in place for the signup handler. Organizations should upgrade to version 2.63.1 or later to remediate this vulnerability.
For additional details, review the GitHub Pull Request #5890 that addresses this issue.
Workarounds
- Remove Execute and Commands permissions from global defaults to prevent automatic inheritance by any provisioned users
- Manually audit and revoke Execute/Commands permissions from users created via proxy authentication prior to the patch
- Consider switching to manual user provisioning or the signup handler (which has proper permission stripping) until the patch is applied
- Implement network-level access controls to restrict File Browser access to trusted networks
# Review and update File Browser global settings
# Remove Execute and Commands from default permissions
# This prevents any automatically provisioned users from inheriting execution capabilities
# Example: Backup current configuration before making changes
cp /path/to/filebrowser/database.db /path/to/filebrowser/database.db.backup
# Upgrade File Browser to patched version
# Using the official installation method
curl -fsSL https://raw.githubusercontent.com/filebrowser/get/master/get.sh | bash -s -- -v 2.63.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
