CVE-2026-29188

Name of the Vulnerable Software and Affected Versions File Browser versions prior to 2.61.1

Description File Browser includes a file managing interface that allows users to upload, delete, preview, rename, and edit files within a specified directory. A broken access control issue exists in the TUS protocol DELETE endpoint. This allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Deployments with multiple users where administrators restrict file deletion for certain users are affected. The issue stems from an incorrect permission check within the tusDeleteHandler function, which uses Perm.Create instead of Perm.Delete. The vulnerable code is located in http/tus handlers.go. The tusDeleteHandler function incorrectly gates the DELETE operation. The correct resourceDeleteHandler in http/resource.go properly checks Perm.Delete. This inconsistency means that DELETE requests to /api/tus/{path} and /api/resources/{path} enforce different permission models for the same filesystem operation. The TUS endpoint, intended for resumable uploads, permanently removes files from the filesystem regardless of how the upload was initiated. An attacker with Create permission can bypass the intended Delete permission restriction by initiating a TUS upload against the target path and then issuing a TUS DELETE request.

Recommendations Versions prior to 2.61.1 should be updated to version 2.61.1 or later.