CVE-2026-32760

Name of the Vulnerable Software and Affected Versions File Browser versions 2.61.2 and below

Description File Browser, a file managing interface, has an issue where unauthenticated users can register as full administrators if self-registration is enabled (signup = true) and the default user permissions have perm.admin = true. The signup handler applies all default settings, including Perm.Admin, to new users without server-side protection to prevent administrative privileges for self-registered accounts. Specifically, the settings.UserDefaults.Apply function in settings/defaults.go and the settings API in http/settings.go allow an administrator to configure defaults.perm.admin to true, and enabling signup allows any account created via the public registration endpoint to become an administrator with full control over files, users, and server settings. The vulnerable code is located in http/auth.go. The issue is resolved in version 2.62.0.

Recommendations Versions prior to 2.62.0 are affected. Update to version 2.62.0 or later.