CVE-2026-32758: File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter
(updated )
The resourcePatchHandler in http/resource.go validates the destination path against configured access rules before the path is cleaned/normalized. The rules engine (rules/rules.go) uses literal string prefix matching (strings.HasPrefix) or regex matching against the raw path. The actual file operation (fileutils.Copy, patchAction) subsequently calls path.Clean() which resolves .. sequences, producing a different effective path than the one validated.
This allows an authenticated user with Create or Rename permissions to bypass administrator-configured deny rules by including .. (dot-dot) path traversal sequences in the destination query parameter of a PATCH request.
References
- github.com/advisories/GHSA-9f3r-2vgw-m8xp
- github.com/filebrowser/filebrowser
- github.com/filebrowser/filebrowser/commit/4bd7d69c82163b201a987e99c0c50d7ecc6ee5f1
- github.com/filebrowser/filebrowser/releases/tag/v2.62.0
- github.com/filebrowser/filebrowser/security/advisories/GHSA-9f3r-2vgw-m8xp
- nvd.nist.gov/vuln/detail/CVE-2026-32758
Code Behaviors & Features
Detect and mitigate CVE-2026-32758 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →