Broken Access Control in File Browser Allows Unauthorized Deletion of Files
CVE-2026-29188

9.1CRITICAL

Key Information:

Vendor

Filebrowser

Status
Filebrowser
Vendor
CVE Published:
5 March 2026

What is CVE-2026-29188?

File Browser, a file management tool, has a vulnerability that allows authenticated users with only Create permissions to delete files and directories within their designated scope. This flaw exists in the TUS protocol DELETE endpoint and bypasses intended restrictions, posing a risk particularly in environments with strict deletion permissions. Users are advised to upgrade to version 2.61.1 to mitigate this issue.

Affected Version(s)

filebrowser < 2.61.1

References

https://github.com/filebrowser/filebrowser/security/advis...
x_refsource_CONFIRM
https://github.com/filebrowser/filebrowser/commit/7ed1425...
x_refsource_MISC
https://github.com/filebrowser/filebrowser/releases/tag/v...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.