CVE-2026-29188: File Browser's TUS Delete Endpoint Bypasses Delete Permission Check
(updated )
A broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected.
References
- github.com/advisories/GHSA-79pf-vx4x-7jmm
- github.com/filebrowser/filebrowser
- github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f
- github.com/filebrowser/filebrowser/releases/tag/v2.61.1
- github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm
- nvd.nist.gov/vuln/detail/CVE-2026-29188
Code Behaviors & Features
Detect and mitigate CVE-2026-29188 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →