Description
File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue.
Published: 2026-01-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Username Enumeration via timing attack on /api/login
Action: Immediate Patch
AI Analysis

Impact

File Browser’s authentication routine prematurely exits when a supplied username does not exist, whereas it performs a costly bcrypt comparison for existing usernames. This timing difference allows an unauthenticated attacker to deduce valid usernames by consistently measuring response latency, thereby revealing account names that could be leveraged for subsequent credential abuse or social engineering. The weakness is classified as CWE-203 and CWE-208, representing information leakage through timing and race conditions.

Affected Systems

The flaw affects all instances of File Browser prior to version 2.55.0. Users deploying any version before that threshold, regardless of operating system or environment, are susceptible if the /api/login interface is exposed to the network.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate impact, and the EPSS score of less than 1% suggests a low probability of exploitation under current threat intelligence. However, the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to measure timing accurately, which may be easier on low‑latency, high‑packet‑rate networks. The attack vector is primarily remote, accessed through the web API endpoint exposed over the network. Once enumeration is achieved, attackers can attempt to guess or brute‑force passwords for the revealed accounts, potentially escalating to full compromise of the file management system.

Generated by OpenCVE AI on April 18, 2026 at 04:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade File Browser to version 2.55.0 or later to apply the official patch that removes the premature return logic.
  • If immediate upgrade is not possible, restrict access to the /api/login endpoint by implementing IP whitelisting or network segmentation to limit the attack surface.
  • Deploy rate‑limiting or CAPTCHA mechanisms on the login endpoint to reduce the feasibility of timing measurements used for enumeration.

Generated by OpenCVE AI on April 18, 2026 at 04:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-43mm-m3h2-3prc File Browser Vulnerable to Username Enumeration via Timing Attack in /api/login
History

Tue, 03 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-203
CPEs cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*

Tue, 20 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Filebrowser
Filebrowser filebrowser
Vendors & Products Filebrowser
Filebrowser filebrowser

Mon, 19 Jan 2026 20:45:00 +0000

Type Values Removed Values Added
Description File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue.
Title File Browser vulnerable to Username Enumeration via Timing Attack in /api/login
Weaknesses CWE-208
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Filebrowser Filebrowser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T15:54:36.499Z

Reserved: 2026-01-16T15:46:40.843Z

Link: CVE-2026-23849

cve-icon Vulnrichment

Updated: 2026-01-20T15:54:30.710Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-19T21:15:51.653

Modified: 2026-02-03T14:30:45.250

Link: CVE-2026-23849

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:00:06Z

Weaknesses