File Management Vulnerability in File Browser Affects User Data Security
CVE-2026-55667

8.2HIGH

Key Information:

Vendor: Filebrowser
Status: Filebrowser
Vendor: CVE Published:; 25 June 2026

🔔 Create Filebrowser Vulnerability Alert

What is CVE-2026-55667?

A vulnerability in File Browser allows a scoped, non-admin user with only the Create permission to delete arbitrary files outside their designated scope. This occurs through an exploit in the upload failure-cleanup process, specifically utilizing the ScopedFs.RemoveAll method, which improperly bypasses essential symlink protections. As such, authenticated users can manipulate directory symlinks to delete critical files belonging to other tenants or the application's own database. This security flaw was addressed in version 2.63.16, reinforcing data integrity and user access controls.

Affected Version(s)

filebrowser < 2.63.16

References

https://github.com/filebrowser/filebrowser/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 17, 2026

CVE-2026-55667 Data

JSON