Skip to main content

File Browser CVE-2026-54089

| EUVDEUVD-2026-39508 CRITICAL
Improper Authentication (CWE-287)
2026-06-25 GitHub_M GHSA-xqp3-jq6g-x3qm
9.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
9.8 CRITICAL

Once proxy auth is enabled, a single forged header gives unauthenticated remote admin (AV:N/AC:L/PR:N/UI:N); full file read/write/delete justifies C:H/I:H/A:H, with the non-default config noted as a deployment precondition rather than attacker complexity.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 18:54 vuln.today

DescriptionCVE.org

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with 2.0.0-rc.1, when FileBrowser is configured with proxy authentication (auth.method=proxy), any unauthenticated attacker who can reach the server directly can impersonate any user - including admin - by sending a single forged HTTP header. No credentials are required. Additionally, specifying a non-existent username causes the server to automatically create a new user account, providing an account creation primitive with no authorization. This is an already known issue that has been documented in the documentation for several years, but has not been documented as a vulnerability before.

AnalysisAI

Authentication bypass and privilege escalation in File Browser (versions 2.0.0-rc.1 and later) lets a remote unauthenticated attacker impersonate any account - including admin - by sending a single forged HTTP header when the server runs with proxy authentication (auth.method=proxy). The same flaw doubles as an unauthorized account-creation primitive, since supplying a non-existent username silently provisions a new user. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach File Browser directly bypassing proxy
Delivery
Forge proxy identity HTTP header as admin
Exploit
Server trusts unverified header
Execution
Authenticate as impersonated admin
Impact
Read/modify/delete files or auto-create accounts

Vulnerability AssessmentAI

Exploitation Requires the target to be configured with proxy authentication (auth.method=proxy) AND for the File Browser server to be directly reachable on the network by the attacker, bypassing the trusted reverse proxy that normally sets the identity header. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent on the high-severity end: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N describes trivial network exploitation with no privileges or user interaction, yielding full confidentiality and integrity loss, which fits a single-header admin impersonation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can route to a proxy-authenticated File Browser instance directly (for example, an exposed container port or an internal host) sends an HTTP request with the proxy identity header set to the admin username. The server accepts the forged header without verifying the request came from the trusted proxy, granting full admin access to browse, modify, and delete files; supplying a novel username instead silently creates a fresh account. …
Remediation No vendor-released patch version was identified at time of analysis; the GitHub advisory (https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xqp3-jq6g-x3qm) documents the issue, so monitor it for a fixed release and upgrade once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit infrastructure for File Browser deployments; identify instances with proxy authentication enabled (auth.method=proxy); immediately restrict all external network access to affected instances via firewall rules. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-29188 CRITICAL POC
9.1 Mar 05

Unauthorized file operations in File Browser before fix. PoC and patch available.

CVE-2023-39612 CRITICAL POC
9.0 Sep 16

A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate pr

CVE-2026-25890 HIGH POC
8.1 Feb 09

Path normalization bypass in Filebrowser prior to 2.57.1 allows authenticated users to circumvent file access restrictio

CVE-2025-52995 HIGH POC
8.0 Jun 30

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ

CVE-2025-52902 HIGH POC
7.6 Jun 26

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ

CVE-2026-28492 MEDIUM POC
6.5 Mar 05

File Browser versions prior to 2.61.0 incorrectly set the filesystem root to a parent directory when generating public s

CVE-2025-52997 MEDIUM POC
5.9 Jun 30

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ

CVE-2025-52900 MEDIUM POC
5.5 Jun 26

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ

CVE-2026-25889 MEDIUM POC
5.4 Feb 09

Filebrowser versions prior to 2.57.1 allow authenticated users to reset passwords without verifying the current password

CVE-2026-48777 CRITICAL
9.3 Jun 16

Path traversal in FileBrowser Quantum (gtsteffaniak fork) versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta all

CVE-2026-23849 MEDIUM POC
5.3 Jan 19

Filebrowser versions up to 2.55.0 contains a vulnerability that allows attackers to enumerate valid usernames by measuri

CVE-2026-54088 CRITICAL POC
9.3 Jun 25

Pre-authentication remote code execution in File Browser before 2.63.6 lets unauthenticated attackers run arbitrary OS c

Share

CVE-2026-54089 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy