SeverityHIGH
Repositoryfilebrowser/filebrowser
PublishedApr 8, 2026, 12:05 AM
Refa8fc1657b796c5da7190466beff13e680721b6d3
Advisory summary
File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands
Curator analysis
Synopsis
Proxy-auth auto-provisioned users inherit Execute permission and configured Commands from global defaults because the proxy user-creation path applies defaults without stripping execution capabilities, unlike the signup path.
Vulnerability classes
privilege escalationincorrect privilege assignment
Sink hints
auth/proxy.go
The advisory identifies createUser() in this file as the vulnerable sink: proxy-auth first-login provisioning calls default-user application and does not clear Execute permission or Commands afterward.
http/auth.go
The advisory cites the signup handler here as the intended safe comparison path, where defaults are applied and then execution capability is explicitly stripped from automatically provisioned users.
Expected components
proxy auth handlerauto-provisioned user creationdefault settings application
Model scores(5)
openai/gpt-5.4excellent
100.00View trace
Target Alignment
30
Source To Sink Reasoning
30
Impact And Exploitability
20
Evidence Quality
10
Overclaim Control
10
anthropic/claude-opus-4.6excellent
89.00View trace
Target Alignment
29
Source To Sink Reasoning
27
Impact And Exploitability
16
Evidence Quality
10
Overclaim Control
7
moonshotai/kimi-k2.5partial
75.00View trace
Target Alignment
28
Source To Sink Reasoning
27
Impact And Exploitability
11
Evidence Quality
8
Overclaim Control
1
google/gemini-3.1-pro-previewpartial
74.00View trace
Target Alignment
29
Source To Sink Reasoning
27
Impact And Exploitability
8
Evidence Quality
10
Overclaim Control
0
z-ai/glm-5.1partial
70.00View trace
Target Alignment
26
Source To Sink Reasoning
27
Impact And Exploitability
6
Evidence Quality
9
Overclaim Control
2