CVE-2026-34528

Name of the Vulnerable Software and Affected Versions: File Browser versions prior to 2.62.2

Description: File Browser's signupHandler incorrectly applies default user permissions. Specifically, it copies all permissions from the default settings and then only strips the Admin permission, leaving Execute and Commands permissions intact. If an administrator enables signup, server-side execution, and sets Execute to true in the default user template, an unauthenticated user who self-registers inherits shell execution capabilities, allowing them to run arbitrary commands on the server. The issue stems from the incomplete fix in a previous commit that only addressed the Admin permission. The vulnerability allows an attacker to gain complete server compromise if the File Browser process runs as root, or a significant lateral movement vector otherwise. The API endpoint ''/api/signup'' is used for self-registration, and the ''/api/command/'' WebSocket endpoint is used for command execution. The vulnerable parameters are username and password during signup, and the command parameter via the WebSocket connection. The d.settings.Defaults.Apply(user) function is responsible for applying the default permissions, and the commandsHandler function checks the d.user.Perm.Execute permission before executing commands.

Recommendations: Update to File Browser version 2.62.2 or later.