Vulnerability Description
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Filebrowser | Filebrowser | < 2.61.1 |
Related Weaknesses (CWE)
References
- https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098Patch
- https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1Release Notes
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jExploitVendor Advisory
FAQ
What is CVE-2026-29188?
CVE-2026-29188 is a vulnerability with a CVSS score of 9.1 (CRITICAL). File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vuln...
How severe is CVE-2026-29188?
CVE-2026-29188 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-29188?
Check the references section above for vendor advisories and patch information. Affected products include: Filebrowser Filebrowser.