CVE-2026-32758— File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter

File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.2 and below are vulnerable to Path Traversal through the resourcePatchHandler (http/resource.go). The destination path in resourcePatchHandler is validated against access rules before being cleaned/normalized, while the actual file operation calls path.Clean() afterward—resolving .. sequences into a different effective path. This allows an authenticated user with Create or Rename permissions to bypass administrator-configured deny rules (both prefix-based and regex-based) by injecting .. sequences in the destination parameter of a PATCH request. As a result, the user can write or move files into any deny-rule-protected path within their scope. However, this cannot be used to escape the user's BasePathFs scope or read from restricted paths. This issue has been fixed in version 2.62.0.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

授权机制不正确

File Browser 安全漏洞

File Browser是File Browser开源的一个文件管理界面，在指定的目录，它可以用来上传，删除，预览和编辑文件。 File Browser 2.61.2及之前版本存在安全漏洞，该漏洞源于resourcePatchHandler存在路径遍历，可能导致绕过管理员配置的拒绝规则。

N/A

N/A