CVE-2026-54089
CRITICAL SEVERITYCVSS Score & Metrics
Base Score
9.1 / 10
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Vulnerability Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with 2.0.0-rc.1, when FileBrowser is configured with proxy authentication (auth.method=proxy), any unauthenticated attacker who can reach the server directly can impersonate any user - including admin - by sending a single forged HTTP header. No credentials are required. Additionally, specifying a non-existent username causes the server to automatically create a new user account, providing an account creation primitive with no authorization. This is an already known issue that has been documented in the documentation for several years, but has not been documented as a vulnerability before.
Vulnerability Details
Published Date
Last Modified
CWE ID
CWE-287
Source
NVD
Vendor
filebrowser
Product
filebrowser
External References
- https://github.com/filebrowser/filebrowser/blob/main/auth/proxy.go
- https://github.com/filebrowser/filebrowser/blob/main/http/auth.go#L121-L137
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xqp3-jq6g-x3qm
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xqp3-jq6g-x3qm
Discussion (0)
Add Comment
No comments yet. Be the first!