Description
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, a case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user's password) without providing the current password. By using Title Case field name "Password" instead of lowercase "password" in the API request, the current_password verification is completely bypassed. This enables account takeover if an attacker obtains a valid JWT token through XSS, session hijacking, or other means. This vulnerability is fixed in 2.57.1.
Published: 2026-02-09
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Account Takeover via Password Reset Bypass
Action: Immediate Patch
AI Analysis

Impact

File Browser allows directory-based file management and includes functionality for uploading, deleting, previewing, renaming, and editing files. A case‑sensitivity flaw in the password validation logic permits any authenticated user to change their own password or an administrator to change any user’s password without providing the current password. By sending a request field named "Password" instead of the required lowercase "password", the current_password check is bypassed, enabling an attacker who already holds a valid JWT token to take over an account. This results in unauthorized access to file system content, potential data exposure, or further internal compromise.

Affected Systems

The vulnerability affects instances of File Browser supplied by the vendor filebrowser, currently version 2.57.1 is the first release with the fix. All earlier releases prior to 2.57.1 are vulnerable.

Risk and Exploitability

The CVSS score of 5.4 indicates medium severity, while the EPSS score is less than 1%, implying a low but non‑zero probability of exploitation at the time of analysis. The vulnerability does not appear in the CISA KEV catalog. Exploitation requires the attacker to possess a valid JWT token, which could be obtained via XSS, session hijacking, or other means. Once a token is in hand, the bypass is straightforward, providing full password reset capability and effectively account takeover.

Generated by OpenCVE AI on April 17, 2026 at 21:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade File Browser to version 2.57.1 or later
  • Re‑enable or enforce current_password verification if a custom deployment removed the check
  • Apply strong password policies and limit JWT privilege scopes to reduce impact if an attacker obtains a token
  • Monitor account activity for unexplained password changes

Generated by OpenCVE AI on April 17, 2026 at 21:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hxw8-4h9j-hq2r File Browser has an Authentication Bypass in User Password Update
History

Mon, 23 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Filebrowser
Filebrowser filebrowser
Vendors & Products Filebrowser
Filebrowser filebrowser

Mon, 09 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, a case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user's password) without providing the current password. By using Title Case field name "Password" instead of lowercase "password" in the API request, the current_password verification is completely bypassed. This enables account takeover if an attacker obtains a valid JWT token through XSS, session hijacking, or other means. This vulnerability is fixed in 2.57.1.
Title File Browser has an Authentication Bypass in User Password Update
Weaknesses CWE-178
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Filebrowser Filebrowser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T15:57:57.441Z

Reserved: 2026-02-06T21:08:39.130Z

Link: CVE-2026-25889

cve-icon Vulnrichment

Updated: 2026-02-10T15:30:09.148Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T22:16:03.723

Modified: 2026-02-23T17:55:17.183

Link: CVE-2026-25889

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:15:27Z

Weaknesses