CVE-2026-29188
📋 TL;DR
This broken access control vulnerability in File Browser allows authenticated users with only Create permission to delete files and directories they shouldn't have access to delete. Multi-user deployments where administrators restrict deletion permissions for certain users are affected. The vulnerability bypasses intended permission checks in the TUS protocol DELETE endpoint.
💻 Affected Systems
- File Browser
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious or compromised users could delete critical system files, application data, or configuration files, potentially causing data loss, service disruption, or system compromise.
Likely Case
Users with limited permissions could delete files they shouldn't have access to, leading to data loss, operational disruption, or privilege escalation within the file management system.
If Mitigated
If proper network segmentation and least privilege access are implemented, impact would be limited to the specific file browser instance and its accessible directories.
🎯 Exploit Status
Exploitation requires authenticated access but only needs Create permission, making it accessible to many users. The vulnerability is in a specific protocol endpoint, making targeted exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.61.1
Vendor Advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm
Restart Required: Yes
Instructions:
1. Backup your File Browser configuration and data. 2. Stop the File Browser service. 3. Update to version 2.61.1 or later using your package manager or by downloading from GitHub releases. 4. Restart the File Browser service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable TUS protocol
allDisable the TUS protocol endpoint if not required for your use case
Modify configuration to set tus.enabled = false
Restrict user permissions
allTemporarily grant all users Delete permission or remove Create permission to prevent exploitation
Adjust user permissions in File Browser configuration
🧯 If You Can't Patch
- Implement network segmentation to isolate File Browser instances from critical systems
- Enable detailed logging and monitoring for file deletion events, particularly via TUS protocol
🔍 How to Verify
Check if Vulnerable:
Check File Browser version: if version is less than 2.61.1 and multi-user permissions are configured, the system is vulnerable.Check Version:
filebrowser versionVerify Fix Applied:
Verify version is 2.61.1 or later and test that users with only Create permission cannot delete files via TUS protocol.📡 Detection & Monitoring
Log Indicators:
- DELETE requests to TUS protocol endpoints from users with only Create permission
- Unexpected file deletion events in File Browser logs
Network Indicators:
- HTTP DELETE requests to /api/tus/* endpoints
- Unusual patterns of file deletion activity
SIEM Query:
source="filebrowser.log" AND (method="DELETE" AND uri="/api/tus/*")