File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser builds new user scopes from usernames passed through cleanUsername() when Signup=true and CreateUserDir=true, but the many-to-one normalization can collapse usernames such as team/one, team one, and team-one to the same home directory without checking whether the resulting scope is already taken, allowing a second registrant to gain full read and write access to another user's files. This issue is fixed in version 2.63.17.
Metrics
Affected Vendors & Products
References
History
Wed, 15 Jul 2026 19:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Filebrowser
Filebrowser filebrowser |
|
| Vendors & Products |
Filebrowser
Filebrowser filebrowser |
Wed, 15 Jul 2026 16:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser builds new user scopes from usernames passed through cleanUsername() when Signup=true and CreateUserDir=true, but the many-to-one normalization can collapse usernames such as team/one, team one, and team-one to the same home directory without checking whether the resulting scope is already taken, allowing a second registrant to gain full read and write access to another user's files. This issue is fixed in version 2.63.17. | |
| Title | File Browser: Colliding username normalization gives two users the same home directory | |
| Weaknesses | CWE-647 CWE-706 |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-15T15:47:23.539Z
Reserved: 2026-07-14T20:22:04.395Z
Link: CVE-2026-62685
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T19:15:14Z