CVE-2026-32758

Name of the Vulnerable Software and Affected Versions File Browser versions 2.61.2 and below

Description File Browser, a file managing interface, has an issue where an authenticated user with Create or Rename permissions can bypass administrator-configured deny rules. This is due to the order in which path validation and cleaning occur. The destination path is validated against access rules before being cleaned, and the actual file operation cleans the path afterward, resolving '..' sequences into a different effective path. This allows users to inject '..' sequences in the destination parameter of a PATCH request to write or move files to protected paths within their scope. The issue resides in the resourcePatchHandler within http/resource.go. The rules engine uses literal string prefix matching or regex matching against the raw path, while the file operation calls path.Clean() which resolves '..' sequences. This does not allow escaping the user's BasePathFs scope or reading from restricted paths.

Recommendations Versions prior to 2.62.0 are affected. Update to version 2.62.0 or later to resolve this issue.