Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Once proxy auth is enabled, a single forged header gives unauthenticated remote admin (AV:N/AC:L/PR:N/UI:N); full file read/write/delete justifies C:H/I:H/A:H, with the non-default config noted as a deployment precondition rather than attacker complexity.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with 2.0.0-rc.1, when FileBrowser is configured with proxy authentication (auth.method=proxy), any unauthenticated attacker who can reach the server directly can impersonate any user - including admin - by sending a single forged HTTP header. No credentials are required. Additionally, specifying a non-existent username causes the server to automatically create a new user account, providing an account creation primitive with no authorization. This is an already known issue that has been documented in the documentation for several years, but has not been documented as a vulnerability before.
AnalysisAI
Authentication bypass and privilege escalation in File Browser (versions 2.0.0-rc.1 and later) lets a remote unauthenticated attacker impersonate any account - including admin - by sending a single forged HTTP header when the server runs with proxy authentication (auth.method=proxy). The same flaw doubles as an unauthorized account-creation primitive, since supplying a non-existent username silently provisions a new user. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the target to be configured with proxy authentication (auth.method=proxy) AND for the File Browser server to be directly reachable on the network by the attacker, bypassing the trusted reverse proxy that normally sets the identity header. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent on the high-severity end: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N describes trivial network exploitation with no privileges or user interaction, yielding full confidentiality and integrity loss, which fits a single-header admin impersonation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can route to a proxy-authenticated File Browser instance directly (for example, an exposed container port or an internal host) sends an HTTP request with the proxy identity header set to the admin username. The server accepts the forged header without verifying the request came from the trusted proxy, granting full admin access to browse, modify, and delete files; supplying a novel username instead silently creates a fresh account. … |
| Remediation | No vendor-released patch version was identified at time of analysis; the GitHub advisory (https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xqp3-jq6g-x3qm) documents the issue, so monitor it for a fixed release and upgrade once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit infrastructure for File Browser deployments; identify instances with proxy authentication enabled (auth.method=proxy); immediately restrict all external network access to affected instances via firewall rules. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Filebrowser
View allUnauthorized file operations in File Browser before fix. PoC and patch available.
A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate pr
Path normalization bypass in Filebrowser prior to 2.57.1 allows authenticated users to circumvent file access restrictio
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
File Browser versions prior to 2.61.0 incorrectly set the filesystem root to a parent directory when generating public s
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
Filebrowser versions prior to 2.57.1 allow authenticated users to reset passwords without verifying the current password
Path traversal in FileBrowser Quantum (gtsteffaniak fork) versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta all
Filebrowser versions up to 2.55.0 contains a vulnerability that allows attackers to enumerate valid usernames by measuri
Pre-authentication remote code execution in File Browser before 2.63.6 lets unauthenticated attackers run arbitrary OS c
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39508
GHSA-xqp3-jq6g-x3qm