Vulnerability Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with 2.0.0-rc.1, when FileBrowser is configured with proxy authentication (auth.method=proxy), any unauthenticated attacker who can reach the server directly can impersonate any user - including admin - by sending a single forged HTTP header. No credentials are required. Additionally, specifying a non-existent username causes the server to automatically create a new user account, providing an account creation primitive with no authorization. This is an already known issue that has been documented in the documentation for several years, but has not been documented as a vulnerability before.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://github.com/filebrowser/filebrowser/blob/main/auth/proxy.go
- https://github.com/filebrowser/filebrowser/blob/main/http/auth.go#L121-L137
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xqp3-jq6g-x3
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xqp3-jq6g-x3
FAQ
What is CVE-2026-54089?
CVE-2026-54089 is a vulnerability with a CVSS score of 9.1 (CRITICAL). File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with 2.0.0-rc.1, when FileBrowser is configured with p...
How severe is CVE-2026-54089?
CVE-2026-54089 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-54089?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.