{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32758", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T18:53:03.532Z", "datePublished": "2026-03-19T23:22:19.952Z", "dateUpdated": "2026-03-20T20:00:43.633Z"}, "containers": {"cna": {"title": "File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-9f3r-2vgw-m8xp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-9f3r-2vgw-m8xp"}, {"name": "https://github.com/filebrowser/filebrowser/commit/4bd7d69c82163b201a987e99c0c50d7ecc6ee5f1", "tags": ["x_refsource_MISC"], "url": "https://github.com/filebrowser/filebrowser/commit/4bd7d69c82163b201a987e99c0c50d7ecc6ee5f1"}, {"name": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0"}], "affected": [{"vendor": "filebrowser", "product": "filebrowser", "versions": [{"version": "< 2.62.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T23:22:19.952Z"}, "descriptions": [{"lang": "en", "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.2 and below are vulnerable to Path Traversal through the resourcePatchHandler (http/resource.go). The destination path in resourcePatchHandler is validated against access rules before being cleaned/normalized, while the actual file operation calls path.Clean() afterward\u2014resolving .. sequences into a different effective path. This allows an authenticated user with Create or Rename permissions to bypass administrator-configured deny rules (both prefix-based and regex-based) by injecting .. sequences in the destination parameter of a PATCH request. As a result, the user can write or move files into any deny-rule-protected path within their scope. However, this cannot be used to escape the user's BasePathFs scope or read from restricted paths. This issue has been fixed in version 2.62.0."}], "source": {"advisory": "GHSA-9f3r-2vgw-m8xp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T20:00:32.489408Z", "id": "CVE-2026-32758", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T20:00:43.633Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32758", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T20:00:32.489408Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T20:00:39.078Z"}}], "cna": {"title": "File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter", "source": {"advisory": "GHSA-9f3r-2vgw-m8xp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "filebrowser", "product": "filebrowser", "versions": [{"status": "affected", "version": "< 2.62.0"}]}], "references": [{"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-9f3r-2vgw-m8xp", "name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-9f3r-2vgw-m8xp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/filebrowser/filebrowser/commit/4bd7d69c82163b201a987e99c0c50d7ecc6ee5f1", "name": "https://github.com/filebrowser/filebrowser/commit/4bd7d69c82163b201a987e99c0c50d7ecc6ee5f1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0", "name": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.2 and below are vulnerable to Path Traversal through the resourcePatchHandler (http/resource.go). The destination path in resourcePatchHandler is validated against access rules before being cleaned/normalized, while the actual file operation calls path.Clean() afterward\u2014resolving .. sequences into a different effective path. This allows an authenticated user with Create or Rename permissions to bypass administrator-configured deny rules (both prefix-based and regex-based) by injecting .. sequences in the destination parameter of a PATCH request. As a result, the user can write or move files into any deny-rule-protected path within their scope. However, this cannot be used to escape the user's BasePathFs scope or read from restricted paths. This issue has been fixed in version 2.62.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T23:22:19.952Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32758", "state": "PUBLISHED", "dateUpdated": "2026-03-20T20:00:43.633Z", "dateReserved": "2026-03-13T18:53:03.532Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T23:22:19.952Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*", "matchCriteriaId": "7E5C9E4B-8749-44EA-AB8D-1292D4C9DB65", "versionEndExcluding": "2.62.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.2 and below are vulnerable to Path Traversal through the resourcePatchHandler (http/resource.go). The destination path in resourcePatchHandler is validated against access rules before being cleaned/normalized, while the actual file operation calls path.Clean() afterward\u2014resolving .. sequences into a different effective path. This allows an authenticated user with Create or Rename permissions to bypass administrator-configured deny rules (both prefix-based and regex-based) by injecting .. sequences in the destination parameter of a PATCH request. As a result, the user can write or move files into any deny-rule-protected path within their scope. However, this cannot be used to escape the user's BasePathFs scope or read from restricted paths. This issue has been fixed in version 2.62.0."}, {"lang": "es", "value": "File Browser es una interfaz de gesti\u00f3n de archivos para subir, eliminar, previsualizar, renombrar y editar archivos dentro de un directorio especificado. Las versiones 2.61.2 e inferiores son vulnerables a Salto de ruta a trav\u00e9s del resourcePatchHandler (http/resource.go). La ruta de destino en resourcePatchHandler se valida contra las reglas de acceso antes de ser limpiada/normalizada, mientras que la operaci\u00f3n de archivo real llama a path.Clean() despu\u00e9s, resolviendo secuencias de .. en una ruta efectiva diferente. Esto permite a un usuario autenticado con permisos de Creaci\u00f3n o Renombrado eludir las reglas de denegaci\u00f3n configuradas por el administrador (tanto basadas en prefijos como en expresiones regulares) inyectando secuencias de .. en el par\u00e1metro de destino de una solicitud PATCH. Como resultado, el usuario puede escribir o mover archivos a cualquier ruta protegida por reglas de denegaci\u00f3n dentro de su \u00e1mbito. Sin embargo, esto no puede usarse para escapar del \u00e1mbito BasePathFs del usuario o leer de rutas restringidas. Este problema ha sido solucionado en la versi\u00f3n 2.62.0."}], "id": "CVE-2026-32758", "lastModified": "2026-03-23T16:55:20.893", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T00:16:17.093", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/filebrowser/filebrowser/commit/4bd7d69c82163b201a987e99c0c50d7ecc6ee5f1"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-9f3r-2vgw-m8xp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.62.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "filebrowser", "source": "cna", "vendor": "filebrowser"}, "product": "filebrowser", "vendor": "filebrowser"}], "analysis": {"en": {"generated_at": "2026-03-23T18:35:50.166107+00:00", "value": {"mitigation_remediation": ["Confirm the running version of File Browser by accessing the system information endpoint or checking the deployment metadata.", "If the version is 2.61.2 or older, upgrade to 2.62.0 or later, where the path normalisation and access\u2011rule validation order has been corrected.", "After upgrading, verify that the patchHandler no longer accepts \"..\" in the destination field by attempting a test rename or copy operation.\n", "If an immediate upgrade is not possible, consider tightening access control by removing Create/Rename permissions from all but trusted users or disabling the PATCH operation for unauthenticated sessions."], "summary": {"action": "Patch Now", "impact": "Privilege escalation via access rule bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects File Browser services of the filebrowser:filebrowser product with version 2.61.2 and earlier. The product is an open\u2011source web\u2011based file manager that supports uploading, deleting, previewing, renaming and editing files within a configured directory.\n", "description_and_impact": "A path traversal flaw in the destination parameter of the resourcePatchHandler allows an authenticated user with Create or Rename permissions to write or move files into any path protected by administrator\u2011configured deny rules. The flaw occurs because the validation of access rules precedes path normalization, letting malicious path sequences such as \"..\" be resolved to a different effective location. As a result, attackers can place files in directories that should be off\u2011limits within their assigned scope, potentially subverting security policies without breaching the user\u2019s base directory.\n", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The flaw is not listed in the CISA KEV catalog, giving no evidence of active exploitation in the wild. An attacker must be authenticated and possess either Create or Rename permissions to exploit the issue, and the attack vector is remote through the web interface via an HTTP PATCH request with a crafted destination parameter. The flaw cannot be used to escape the user\u2019s BasePathFs scope or read from restricted locations, but it does enable unauthorized writes within the user\u2019s permitted area."}}}}, "created": "2026-03-20T08:54:18.589982+00:00", "updated": "2026-03-25T14:10:33.519407+00:00", "vendors": ["filebrowser", "filebrowser$PRODUCT$filebrowser"]}