CVE-2026-62685 PUBLISHED

File Browser: Colliding username normalization gives two users the same home directory

Assigner: GitHub_M
Reserved: 14.07.2026 Published: 15.07.2026 Updated: 15.07.2026

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser builds new user scopes from usernames passed through cleanUsername() when Signup=true and CreateUserDir=true, but the many-to-one normalization can collapse usernames such as team/one, team one, and team-one to the same home directory without checking whether the resulting scope is already taken, allowing a second registrant to gain full read and write access to another user's files. This issue is fixed in version 2.63.17.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.1

Product Status

Vendor filebrowser
Product filebrowser
Versions
  • Version < 2.63.17 is affected

References

Problem Types

  • CWE-647: Use of Non-Canonical URL Paths for Authorization Decisions CWE
  • CWE-706: Use of Incorrectly-Resolved Name or Reference CWE