Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with 2.0.0-rc.1, when FileBrowser is configured with proxy authentication (auth.method=proxy), any unauthenticated attacker who can reach the server directly can impersonate any user - including admin - by sending a single forged HTTP header. No credentials are required. Additionally, specifying a non-existent username causes the server to automatically create a new user account, providing an account creation primitive with no authorization. This is an already known issue that has been documented in the documentation for several years, but has not been documented as a vulnerability before.
Published: 2026-06-25
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

File Browser is a web‑based file management tool. Beginning with release 2.0.0‑rc.1, if the application is configured to use proxy authentication (auth.method=proxy), an attacker who can reach the server over HTTP can forge a single proxy‑authentication header. Because the server accepts the header unvalidated, the request is processed as the indicated user, allowing the attacker to impersonate any account, including the administrator. If the username supplied does not exist, the server automatically creates a new account, giving the attacker an account‑creation primitive with no authorization required.

Affected Systems

The vulnerability affects the File Browser product (officially identified as). It is present in all releases from 2.0.0‑rc.1 onward; the precise fix version has not been published in the provided data.

Risk and Exploitability

The CVSS score of 9.1 indicates a high‑severity flaw. The EPSS score is not available, but the vulnerability is not listed in the CISA KEV catalog. A remote attacker can exploit it by sending a crafted HTTP request with a forged proxy‑authentication header to any host that can reach the File Browser instance. No additional credentials are required, and the attack can be performed from the internet if the service is exposed, making the risk significant for publicly reachable installations.

Generated by OpenCVE AI on June 25, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade File Browser to the latest patch that fixes the proxy authentication header validation.
  • Temporarily disable proxy authentication (auth.method=proxy) until the patch can be applied.
  • If disabling proxy authentication is not an option, configure the ingress or reverse proxy to strip or validate the proxy‑authentication header before forwarding requests to File Browser.

Generated by OpenCVE AI on June 25, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Filebrowser
Filebrowser filebrowser
Vendors & Products Filebrowser
Filebrowser filebrowser

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with 2.0.0-rc.1, when FileBrowser is configured with proxy authentication (auth.method=proxy), any unauthenticated attacker who can reach the server directly can impersonate any user - including admin - by sending a single forged HTTP header. No credentials are required. Additionally, specifying a non-existent username causes the server to automatically create a new user account, providing an account creation primitive with no authorization. This is an already known issue that has been documented in the documentation for several years, but has not been documented as a vulnerability before.
Title File Browser: Authentication Bypass via Proxy Auth Header Forgery
Weaknesses CWE-287
CWE-290
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Filebrowser Filebrowser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T18:33:37.531Z

Reserved: 2026-06-11T18:44:47.761Z

Link: CVE-2026-54089

cve-icon Vulnrichment

Updated: 2026-06-25T18:33:32.309Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T21:30:11Z

Weaknesses
  • CWE-287

    Improper Authentication

  • CWE-290

    Authentication Bypass by Spoofing