{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-35607/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-35607"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["File Browser"],"_cs_severities":["high"],"_cs_tags":["file-browser","authentication-bypass","privilege-escalation","cve-2026-35607"],"_cs_type":"advisory","_cs_vendors":["File Browser"],"content_html":"\u003cp\u003eFile Browser is a file management interface that allows users to upload, delete, preview, rename, and edit files. A vulnerability, identified as CVE-2026-35607, exists in versions prior to 2.63.1. This flaw stems from inconsistent application of a fix intended to restrict execution permissions for self-registered users. While the fix was correctly implemented for the signup handler (commit b6a4fb1), it was not applied to the proxy authentication handler. As a result, users automatically created upon their first successful proxy authentication login are inadvertently granted execution capabilities based on global defaults. This contradicts the intended security measure of preventing automatic accounts from inheriting execution rights. This vulnerability allows unauthorized users to execute commands, potentially leading to system compromise. The issue is resolved in File Browser version 2.63.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user attempts to access the File Browser interface via proxy authentication.\u003c/li\u003e\n\u003cli\u003eThe File Browser instance, running a version prior to 2.63.1, authenticates the user through the proxy.\u003c/li\u003e\n\u003cli\u003eIf the user does not already exist, the application automatically creates a new user account.\u003c/li\u003e\n\u003cli\u003eDue to the missing fix in the proxy authentication handler, the newly created user account is granted execution permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the granted execution permissions to execute arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThese commands could be used to read sensitive files, modify system configurations, or install malicious software.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the file management interface to upload a malicious script.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malicious script, achieving arbitrary code execution on the server, potentially leading to data exfiltration or system takeover.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35607 allows unauthenticated or newly authenticated users to gain unauthorized execution privileges within the File Browser application. This can lead to the execution of arbitrary commands, potentially compromising the server hosting the application. The CVSS v3.1 base score for this vulnerability is 8.1, indicating a high level of severity. Depending on the server configuration, this could result in data breaches, system downtime, or complete system takeover.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade File Browser to version 2.63.1 or later to remediate CVE-2026-35607.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026quot;Detect File Browser Unauthorized Command Execution\u0026quot; to identify potential exploitation attempts by monitoring for suspicious process creation events initiated by the File Browser process.\u003c/li\u003e\n\u003cli\u003eReview and restrict the default execution permissions for File Browser to minimize the impact of potential exploits.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity associated with File Browser, specifically HTTP requests related to file uploads and execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-08T12:00:00Z","date_published":"2024-01-08T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-file-browser-auth-bypass/","summary":"File Browser versions before 2.63.1 improperly grant execution capabilities to new users created via proxy authentication, leading to privilege escalation.","title":"File Browser Proxy Authentication Bypass Vulnerability (CVE-2026-35607)","url":"https://feed.craftedsignal.io/briefs/2024-01-file-browser-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-35607","version":"https://jsonfeed.org/version/1.1"}