Back to overview

CVE-2026-54089

CRITICAL Exploitation: PoC
9.1
CVSS 3.1
Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with 2.0.0-rc.1, when FileBrowser is configured with proxy authentication (auth.method=proxy), any unauthenticated attacker who can reach the server directly can impersonate any user - including admin - by sending a single forged HTTP header. No credentials are required. Additionally, specifying a non-existent username causes the server to automatically create a new user account, providing an account creation primitive with no authorization. This is an already known issue that has been documented in the documentation for several years, but has not been documented as a vulnerability before.

Metadata

CVE ID
CVE-2026-54089
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-11 18:44 UTC
Published
2026-06-25 17:46 UTC
Last updated
2026-06-25 18:33 UTC
Primary CWE
CWE-287
CWE-287: Improper Authentication
Vendor / Product
filebrowser / filebrowser
Sources
cve.org  ·  NVD

Severity & Metrics

9.1 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
yes
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
filebrowser filebrowser >= 2.0.0-rc.1
Weakness (CWE)
CWESourceDescription
CWE-287 cna CWE-287: Improper Authentication
CWE-290 cna CWE-290: Authentication Bypass by Spoofing
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.1 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References (3)
Back to overview