CVE-2026-32760: File Browser Signup Grants Admin When Default Permissions Include Admin
(updated )
Any unauthenticated visitor can register a full administrator account when self-registration ( signup = true ) is enabled and the default user permissions have perm.admin = true. The signup handler blindly applies all default settings - including Perm.Admin - to the new user without any server-side guard that strips admin from self-registered accounts.
References
- github.com/advisories/GHSA-5gg9-5g7w-hm73
- github.com/filebrowser/filebrowser
- github.com/filebrowser/filebrowser/commit/a63573b67eb302167b4c4f218361a2d0c138deab
- github.com/filebrowser/filebrowser/releases/tag/v2.62.0
- github.com/filebrowser/filebrowser/security/advisories/GHSA-5gg9-5g7w-hm73
- nvd.nist.gov/vuln/detail/CVE-2026-32760
Code Behaviors & Features
Detect and mitigate CVE-2026-32760 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →