CVE-2026-29188 CRITICAL

CVE-2026-29188: File Browser: TUS Delete Endpoint Bypasses Delete Permission Check

Vendor Filebrowser
Product filebrowser
Weakness CWE-732
Published March 5, 2026
Last update March 6, 2026

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1.

Key dates

02Disclosure timeline

March 5, 2026 CVE published
March 6, 2026 Record updated