CVE-2026-54089
published 2026-06-25CVE-2026-54089: File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with…
PriorityP264critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.34%
25.6th percentile
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with 2.0.0-rc.1, when FileBrowser is configured with proxy authentication (auth.method=proxy), any unauthenticated attacker who can reach the server directly can impersonate any user - including admin - by sending a single forged HTTP header. No credentials are required. Additionally, specifying a non-existent username causes the server to automatically create a new user account, providing an account creation primitive with no authorization. This is an already known issue that has been documented in the documentation for several years, but has not been documented as a vulnerability before.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| filebrowser | filebrowser | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/filebrowser/filebrowser/blob/main/auth/proxy.gohttps://github.com/filebrowser/filebrowser/blob/main/http/auth.go#L121-L137https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xqp3-jq6g-x3qmhttps://github.com/filebrowser/filebrowser/security/advisories/GHSA-xqp3-jq6g-x3qm
2026-06-25
Published