What is the CVSS score of CVE-2026-35607?

CVE-2026-35607 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Filebrowser are affected by CVE-2026-35607?

File Browser versions prior to 2.63.1 contain a privilege escalation vulnerability in proxy authentication that automatically grants command execution permissions to provisioned users, bypassing…. A patch is available.

How to fix or mitigate CVE-2026-35607?

Within 24 hours: Inventory all File Browser deployments and identify those using proxy authentication for user provisioning. Within 7 days: Disable automatic user provisioning via proxy authentication if operationally feasible, or restrict proxy authentication to trusted networks only. Within 30 days: Upgrade to File Browser version 2.63.1 or later once patch availability is confirmed through official vendor channels; validate that security controls are enforced post-upgrade.

Filebrowser CVE-2026-35607

EUVD-2026-19782 HIGH

Improper Privilege Management (CWE-269)

2026-04-07 GitHub_M

GHSA-7526-j432-6ppp

Privilege Escalation Filebrowser

8.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.1 HIGH

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 16, 2026 - 18:22 vuln.today

cvss_changed

Patch released

Apr 08, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 07, 2026 - 17:00 euvd

EUVD-2026-19782

Analysis Generated

Apr 07, 2026 - 17:00 vuln.today

CVE Published

Apr 07, 2026 - 16:31 nvd

HIGH 8.1

DescriptionGitHub Advisory

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the fix in commit b6a4fb1 ("self-registered users don't get execute perms") stripped Execute permission and Commands from users created via the signup handler. The same fix was not applied to the proxy auth handler. Users auto-created on first successful proxy-auth login are granted execution capabilities from global defaults, even though the signup path was explicitly changed to prevent execution rights from being inherited by automatically provisioned accounts. This vulnerability is fixed in 2.63.1.

AnalysisAI

Auto-provisioned users in File Browser's proxy authentication flow inherit elevated execution permissions that were explicitly blocked in the self-registration flow, enabling unauthorized command execution. Versions prior to 2.63.1 grant execute capabilities to proxy-auth users from global defaults, bypassing security controls added in commit b6a4fb1. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Attacker authenticates via proxy auth handler

Exploit

User auto-created with global default permissions

Execution

Execute permission inherited despite signup restrictions

Impact

Arbitrary code execution achieved

Access

Attacker authenticates via proxy auth handler

Exploit

User auto-created with global default permissions

Execution

Execute permission inherited despite signup restrictions

Impact

Arbitrary code execution achieved

Vulnerability AssessmentAI

Exploitation	File Browser versions prior to 2.63.1 with proxy authentication enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	This vulnerability presents moderate-to-high real-world risk despite the CVSS 8.1 rating, contingent on deployment architecture. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker identifies a File Browser instance using proxy authentication with a permissive upstream authentication system or compromised proxy credentials. After successfully authenticating through the proxy layer (potentially via credential stuffing, session hijacking, or exploiting weaknesses in the proxy's authentication logic), the attacker's first login triggers automatic account creation in File Browser. …
Remediation	Upgrade File Browser to version 2.63.1 or later, which applies consistent permission stripping across both signup and proxy authentication handlers. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all File Browser deployments and identify those using proxy authentication for user provisioning. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48777 CRITICAL Act Now

9.3 Jun 16

Path traversal in FileBrowser Quantum (gtsteffaniak fork) versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta all

CVE-2026-35607 vulnerability details – vuln.today

Back

Filebrowser CVE-2026-35607

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code