Instant Hijack: Critical 10.0 CVSS File Browser Flaw Grants Automatic Admin Rights
Do Son 
Security researchers have issued a high-priority alert for users of File Browser, a popular open-source self-hosted cloud storage solution. A critical logic flaw has been discovered in the platform’s registration system that can automatically grant full administrative powers to any new user who signs up.
The vulnerability, tracked as CVE-2026-32760, has been assigned a maximum CVSS score of 10, reflecting its potential for total system takeover with zero technical effort from an attacker.
File Browser allows administrators to set “Default Settings” that are automatically applied to every new account created on the system. The vulnerability exists because the platform’s signup handler “blindly applies” these default settings—including administrative permissions—without any server-side check to ensure a public registrant isn’t being promoted to an admin.
If an administrator has (either intentionally or accidentally) configured the default user permissions to include perm.admin = true, the “Sign Up” button effectively becomes a “Become Administrator” button.
As the technical advisory explains:
“The signup handler blindly applies all default settings – including Perm.Admin – to the new user without any server-side guard that strips admin from self-registered accounts“.
The consequences of this flaw are absolute. Any unauthenticated visitor who can reach the public registration endpoint (POST /api/signup) can instantly obtain a full administrator account.
With an admin account, an attacker can:
- Total File Control: List, read, modify, and delete every single file hosted on the server.
- User Manipulation: Create, modify, or delete all other existing user accounts.
- System Hijack: Change authentication methods and global server settings.
- Remote Code Execution: If the “Enable Exec” setting is active, the attacker can execute arbitrary system commands directly on the host server.
The vulnerability affects all versions of File Browser up to and including version 2.61.2. A patch has been released in version 2.62.0 that introduces the necessary guards to prevent self-registered users from inheriting administrative rights.
Essential Remediation Steps:
- Update Immediately: Upgrade your File Browser installation to version 2.62.0 or later.
- Audit Default Permissions: Immediately check your “Global Settings” and ensure that
perm.adminis set tofalsefor default user profiles. - Review User Lists: If you have had public signup enabled, review your user list for any unrecognized accounts with administrative privileges.
- Disable Signup: If you do not strictly require public registration, disable the
signupfeature entirely to reduce your attack surface.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
