CVE-2026-32758
File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.2 and below are vulnerable to Path Traversal through the resourcePatchHandler (http/resource.go). The destination path in resourcePatchHandler is validated against access rules before being cleaned/normalized, while the actual file operation calls path.Clean() afterward—resolving .. sequences into a different effective path. This allows an authenticated user with Create or Rename permissions to bypass administrator-configured deny rules (both prefix-based and regex-based) by injecting .. sequences in the destination parameter of a PATCH request. As a result, the user can write or move files into any deny-rule-protected path within their scope. However, this cannot be used to escape the user's BasePathFs scope or read from restricted paths. This issue has been fixed in version 2.62.0.
| CWE | CWE-863 CWE-22 |
| Vendor | filebrowser |
| Product | filebrowser |
| Published | Mar 19, 2026 |
| Last Updated | Mar 20, 2026 |
Get instant alerts for filebrowser filebrowser
Be the first to know when new medium vulnerabilities affecting filebrowser filebrowser are published — delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N