CVE-2026-34528: File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution

March 31, 2026 (updated April 6, 2026)

The signupHandler in File Browser applies default user permissions via d.settings.Defaults.Apply(user), then strips only Admin (commit a63573b). The Execute permission and Commands list from the default user template are not stripped. When an administrator has enabled signup, server-side execution, and set Execute=true in the default user template, any unauthenticated user who self-registers inherits shell execution capabilities and can run arbitrary commands on the server.

References

github.com/advisories/GHSA-x8jc-jvqm-pm3f
github.com/filebrowser/filebrowser
github.com/filebrowser/filebrowser/releases/tag/v2.62.2
github.com/filebrowser/filebrowser/security/advisories/GHSA-x8jc-jvqm-pm3f
nvd.nist.gov/vuln/detail/CVE-2026-34528

Code Behaviors & Features

Detect and mitigate CVE-2026-34528 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →