Summary
Description
The resourcePatchHandler in http/resource.go validates the destination path against configured access rules before the path is cleaned/normalized. The rules engine (rules/rules.go) uses literal string prefix matching (strings.HasPrefix) or regex matching against the raw path. The actual file operation (fileutils.Copy, patchAction) subsequently calls path.Clean() which resolves .. sequences, producing a different effective path than the one validated.
This allows an authenticated user with Create or Rename permissions to bypass administrator-configured deny rules by including .. (dot-dot) path traversal sequences in the destination query parameter of a PATCH request.
Steps to Reproduce
1. Verify the rule works normally
# This should return 403 Forbidden
curl -X PATCH \
-H "X-Auth: <alice_jwt>" \
"http://host/api/resources/public/test.txt?action=copy&destination=%2Frestricted%2Fcopied.txt"
2. Exploit the bypass
# This should succeed despite the deny rule
curl -X PATCH \
-H "X-Auth: <alice_jwt>" \
"http://host/api/resources/public/test.txt?action=copy&destination=%2Fpublic%2F..%2Frestricted%2Fcopied.txt"
3. Result
The file test.txt is copied to /restricted/copied.txt despite the deny rule for /restricted/.
Root Cause Analysis
In http/resource.go:209-257:
dst := r.URL.Query().Get("destination") // line 212
dst, err := url.QueryUnescape(dst) // line 214, dst contains ".."
if !d.Check(src) || !d.Check(dst) { // line 215, CHECK ON UNCLEANED PATH
return http.StatusForbidden, nil
}
In rules/rules.go:29-35:
func (r *Rule) Matches(path string) bool {
if r.Regex {
return r.Regexp.MatchString(path) // regex on literal path
}
return strings.HasPrefix(path, r.Path) // prefix on literal path
}
In fileutils/copy.go:12-17:
func Copy(afs afero.Fs, src, dst string, ...) error {
if dst = path.Clean("/" + dst); dst == "" { // CLEANING HAPPENS HERE, AFTER CHECK
return os.ErrNotExist
}
The rules check sees /public/../restricted/copied.txt (no match for /restricted/ prefix).
The file operation resolves it to /restricted/copied.txt (within the restricted path).
Secondary Issue
In the same handler, the error from url.QueryUnescape is checked after d.Check() runs (lines 214-220), meaning the rules check executes on a potentially malformed string if unescaping fails.
Impact
An authenticated user with Copy (Create) or Rename permission can write or move files into any path within their scope that is protected by deny rules. This bypasses both:
- Prefix-based rules:
strings.HasPrefixon uncleaned path misses the match - Regex-based rules: Standard patterns like
^/restricted/.*fail on uncleaned path
Cannot be used to:
- Escape the user's BasePathFs scope (afero prevents this)
- Read from restricted paths (GET handler uses cleaned
r.URL.Path)
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
CVE-2026-32758 has a CVSS score of 6.5 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.62.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Clean the destination path before the rules check:
dst, err := url.QueryUnescape(dst)
if err != nil {
return errToStatus(err), err
}
dst = path.Clean("/" + dst)
src = path.Clean("/" + src)
if !d.Check(src) || !d.Check(dst) {
return http.StatusForbidden, nil
}
if dst == "/" || src == "/" {
return http.StatusForbidden, nil
}
Frequently Asked Questions
- What is CVE-2026-32758? CVE-2026-32758 is a medium-severity path traversal vulnerability in github.com/filebrowser/filebrowser/v2 (go), affecting versions <= 2.61.2. It is fixed in 2.62.0. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
- How severe is CVE-2026-32758? CVE-2026-32758 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/filebrowser/filebrowser/v2 are affected by CVE-2026-32758? github.com/filebrowser/filebrowser/v2 (go) versions <= 2.61.2 is affected.
- Is there a fix for CVE-2026-32758? Yes. CVE-2026-32758 is fixed in 2.62.0. Upgrade to this version or later.
- Is CVE-2026-32758 exploitable, and should I be worried? Whether CVE-2026-32758 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-32758 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-32758? Upgrade
github.com/filebrowser/filebrowser/v2to 2.62.0 or later.