Intelligence
criticalVulnerabilityActive

Privilege Escalation via Unsafe Default Permission Application in User Signup

Unauthenticated users can register as administrators when self-signup is enabled and default permissions include admin privileges. The signup handler blindly applies all defaults without stripping elevated permissions.

S
Sebastion

CVE References

CVE-2026-32760

Affected

File-Browser

Vulnerability Description

This is a privilege escalation vulnerability rooted in improper separation of concerns during user initialization. The signupHandler in http/auth.go applies default user settings (including permissions) to new self-registered accounts without explicit guards to strip administrative privileges. The root cause is a missing authorization control: there is no check enforcing that self-registered users must have Perm.Admin = false regardless of server defaults. The vulnerability class is Unsafe Defaults Combined with Access Control Bypass. Impact is critical: unauthorized account creation with full administrative access, enabling complete system compromise including data theft, configuration tampering, and lateral movement.

Proof-of-Concept Significance

This PoC demonstrates a configuration-dependent but highly reliable exploitation path. The attack requires two preconditions both controlled by administrators: (1) signup = true (public registration enabled), and (2) default user permissions with perm.admin = true (either intentional or accidental misconfiguration). The PoC proves that no server-side guard exists to prevent admin privilege inheritance during signup. Reliability is near 100% if conditions are met; no race conditions or timing issues apply. The vulnerability affects deployments where administrators enable self-signup for convenience while assuming registration creates unprivileged accounts.

Detection Guidance

Log Indicators:

  • Successful user registration followed immediately by administrative actions (settings modification, permission changes, user deletion)
  • Signup requests originating from unexpected IP ranges followed by admin API calls from the same source
  • Configuration changes setting defaults.perm.admin = true combined with signup = true

HTTP Signatures:

  • POST to signup endpoint with immediate subsequent requests to admin-protected endpoints (/api/settings, /api/users, etc.) from same session
  • Audit logs showing newly created users performing administrative operations within seconds of account creation

YARA Rule Concept (configuration inspection):

rule FileBrowser_CVE_2026_32760 {
    strings:
        $admin_default = "defaults" ascii
        $perm_admin = "perm.admin" ascii
        $signup_true = "signup" ascii nocase
    condition:
        all of them
}

Mitigation Steps

Immediate Actions:

  1. Disable signup if not required: set signup = false
  2. Reset admin defaults: ensure defaults.perm.admin = false (audit current configuration)
  3. Audit active accounts: identify users created via signup endpoint; verify their actual permission levels; revoke admin access if inherited

Patch Requirements:

  • Add explicit guard in signupHandler: user.Perm.Admin = false after Defaults.Apply(user) to force unprivileged accounts
  • Modify UserDefaults.Apply() to accept an optional parameter excluding admin flags during signup
  • Add integration tests enforcing that signup-created users never receive admin privileges regardless of defaults
  • Update settings validation to warn/prevent setting defaults.perm.admin = true when signup = true

Long-term Controls:

  • Separate admin-safe defaults from signup defaults in code
  • Implement role-based default profiles with explicit restrictions
  • Require explicit admin promotion via separate API call (never via defaults)

Risk Assessment

Likelihood of Exploitation in the Wild: High. This is a logic flaw in happy-path code, not a complex exploit requiring deep system knowledge. Any administrator running File Browser with public signup enabled and default admin set (perhaps during initial setup) is at risk. Default misconfigurations are common when security is an afterthought.

Threat Actor Interest: Critical. Privilege escalation vulnerabilities enabling unauthenticated admin access are primary targets for opportunistic attackers scanning public instances. Mass vulnerability scanners will detect deployments matching both preconditions.

Exploitability: Trivial—requires only HTTP POST registration and no authentication bypass.

Business Impact: Total loss of confidentiality, integrity, and availability for affected deployments.

Sources

pocprivilege-escalationauthenticationconfiguration-flawunsafe-defaultsauthorization-bypass
Back to intelligence