{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29188", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T14:44:00.714Z", "datePublished": "2026-03-05T20:57:57.329Z", "dateUpdated": "2026-03-06T10:41:10.751Z"}, "containers": {"cna": {"title": "File Browser: TUS Delete Endpoint Bypasses Delete Permission Check", "problemTypes": [{"descriptions": [{"cweId": "CWE-732", "lang": "en", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm"}, {"name": "https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f", "tags": ["x_refsource_MISC"], "url": "https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f"}, {"name": "https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1"}], "affected": [{"vendor": "filebrowser", "product": "filebrowser", "versions": [{"version": "< 2.61.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T20:57:57.329Z"}, "descriptions": [{"lang": "en", "value": "File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1."}], "source": {"advisory": "GHSA-79pf-vx4x-7jmm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T10:40:45.426964Z", "id": "CVE-2026-29188", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T10:41:10.751Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29188", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T10:40:45.426964Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T10:41:06.817Z"}}], "cna": {"title": "File Browser: TUS Delete Endpoint Bypasses Delete Permission Check", "source": {"advisory": "GHSA-79pf-vx4x-7jmm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "filebrowser", "product": "filebrowser", "versions": [{"status": "affected", "version": "< 2.61.1"}]}], "references": [{"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm", "name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f", "name": "https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1", "name": "https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-732", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T20:57:57.329Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29188", "state": "PUBLISHED", "dateUpdated": "2026-03-06T10:41:10.751Z", "dateReserved": "2026-03-04T14:44:00.714Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-05T20:57:57.329Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*", "matchCriteriaId": "C933E37A-6BEC-42C8-88CC-D8FD69116058", "versionEndExcluding": "2.61.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1."}, {"lang": "es", "value": "File Browser proporciona una interfaz de gesti\u00f3n de archivos dentro de un directorio especificado y puede utilizarse para subir, eliminar, previsualizar, renombrar y editar archivos. Antes de la versi\u00f3n 2.61.1, una vulnerabilidad de control de acceso roto en el endpoint DELETE del protocolo TUS permite a usuarios autenticados con solo permiso de Creaci\u00f3n eliminar archivos y directorios arbitrarios dentro de su alcance, eludiendo la restricci\u00f3n de permiso de Eliminaci\u00f3n prevista. Cualquier despliegue multiusuario donde los administradores restringen expl\u00edcitamente la eliminaci\u00f3n de archivos para ciertos usuarios se ve afectado. Este problema ha sido parcheado en la versi\u00f3n 2.61.1."}], "id": "CVE-2026-29188", "lastModified": "2026-03-10T19:42:36.507", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-05T21:16:23.097", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-732"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.61.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "filebrowser", "source": "cna", "vendor": "filebrowser"}, "product": "filebrowser", "vendor": "filebrowser"}], "analysis": {"en": {"generated_at": "2026-04-17T12:38:47.484259+00:00", "value": {"mitigation_remediation": ["Upgrade File Browser to version 2.61.1 or later to incorporate the vendor fix that restores proper delete permission enforcement.", "Re\u2011evaluate and tighten user roles so that users who should not delete files do not possess Delete or Create permissions; remove Create\u2011only roles if unnecessary.", "Confirm that all remaining user accounts have only the permissions they require for their responsibilities, and audit permissions for any unexpected privileges.", "If an upgrade is not immediately possible, enforce network or application\u2011level restrictions against the TUS DELETE endpoint for non\u2011administrator users."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized deletion of files by users lacking delete permission"}, "threat_synthesis": {"affected_systems": "The flaw exists in File Browser v2.60 and earlier, up to the release of v2.61.1. Any multi\u2011user deployment where administrators limit file deletion for certain users is affected. The product is identified in the Vendor/Product list as filebrowser/filebrowser and is documented in the public GitHub releases and advisory.", "description_and_impact": "File Browser implements a TUS protocol DELETE endpoint that should enforce delete permissions. Users who only have Create rights can send a DELETE request and remove any file or directory within the scope granted to them, bypassing the intended Delete permission check. This broken access control flaw violates the principle of least privilege (CWE-284) and leads to unauthorized modification or removal of data, causing potential loss of integrity and availability. The vulnerability is purely an access\u2011control weakness; it does not allow arbitrary code execution or remote code execution but enables privileged escalation within the application\u2019s file management subsystem.", "risk_and_exploitability": "The CVSS score of 9.1 indicates critical severity, and the EPSS score of less than 1% suggests that exploitation attempts are rare but possible. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires the attacker to be authenticated with a role that includes Create permission; no special network conditions or additional software are required. Once authenticated, the attacker can issue a TUS DELETE request to arbitrary paths within their permitted scope, bypassing the Delete permission check and deleting files or directories. The attack path is straightforward, and the impact is localized to the affected instance\u2019s file hierarchy. Because the flaw affects privileged users, the risk to overall system integrity remains high."}}}}, "created": "2026-03-06T15:00:53.358824+00:00", "updated": "2026-04-17T12:45:16.142916+00:00", "vendors": ["filebrowser", "filebrowser$PRODUCT$filebrowser"]}