CVE-2026-35607

File Browser versions prior to 2.63.1 Description: File Browser is a file managing interface. Prior to version 2.63.1, a fix intended to restrict execute permissions for self-registered users was not applied to the proxy authentication handler. This allowed users automatically created on first successful proxy authentication login to inherit execution capabilities from global defaults, violating a security invariant. This issue is an incomplete fix for a previous problem where signup granted execution permissions when default permissions included execution. The vulnerability is related to the application of default settings in the auth/proxy.go createUser() function, where restrictions on Execute permission and Commands were missing compared to the signup handler. API Endpoint: /api/login. Vulnerable Parameters: username. Function Name: createUser(). Recommendations: Upgrade to File Browser version 2.63.1 or later.