CVE-2026-54089

Source
https://cve.org/CVERecord?id=CVE-2026-54089
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54089.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54089
Aliases
Published
2026-06-25T17:46:13.119Z
Modified
2026-07-08T08:13:45.411379489Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
File Browser: Authentication Bypass via Proxy Auth Header Forgery
Details

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with 2.0.0-rc.1, when FileBrowser is configured with proxy authentication (auth.method=proxy), any unauthenticated attacker who can reach the server directly can impersonate any user - including admin - by sending a single forged HTTP header. No credentials are required. Additionally, specifying a non-existent username causes the server to automatically create a new user account, providing an account creation primitive with no authorization. This is an already known issue that has been documented in the documentation for several years, but has not been documented as a vulnerability before.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54089.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-287",
        "CWE-290"
    ]
}
References

Affected packages

Git / github.com/filebrowser/filebrowser

Affected ranges

Type
GIT
Repo
https://github.com/filebrowser/filebrowser
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": ">= 2.0.0-rc.1"
        },
        {
            "last_affected": ">= 2.0.0-rc.1"
        }
    ]
}

Affected versions

>= 2.*
>= 2.0.0-rc.1
v2.*
v2.0.0-rc.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54089.json"