Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.1

File Browser: Malicious Users Can Delete Any Files

CVE-2026-29188 GHSA-79pf-vx4x-7jmm
Summary

A security flaw in File Browser's delete function before version 2.61.1 allows authorized users with limited permissions to delete any files within their scope, potentially bypassing intended restrictions. This affects multi-user deployments where file deletion is restricted for certain users. Upgrade to version 2.61.1 or later to fix this issue.

What to do
  • Update github.com filebrowser to version 2.61.1.
Affected software
VendorProductAffected versionsFix available
github.com filebrowser <= 2.61.0 2.61.1
filebrowser filebrowser <= 2.61.1 –
Original title
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control v...
Original description
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1.
nvd CVSS3.1 9.1
Vulnerability type
CWE-284 Improper Access Control
CWE-732 Incorrect Permission Assignment for Critical Resource
Published: 5 Mar 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026