Clockwatching: Weaponizing Milliseconds in File Browser Authentication
Vulnerability ID: CVE-2026-23849
CVSS Score: 5.3
Published: 2026-01-21
A classic timing side-channel vulnerability in the popular File Browser application allows unauthenticated attackers to enumerate valid usernames by measuring the server's response time during login attempts.
TL;DR
File Browser versions prior to 2.55.0 failed to use constant-time comparison logic during authentication. Because verifying a password with bcrypt takes significantly longer than checking if a user exists in the database, the server responded much faster for invalid users than for valid ones. This discrepancy allows attackers to accurately map out valid accounts on the system.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-208
- Attack Vector: Network
- CVSS: 5.3 (Medium)
- EPSS Score: 0.0009
- Impact: Information Disclosure (Username Enumeration)
- Exploit Status: PoC Available
Affected Systems
- File Browser (GitHub: filebrowser/filebrowser)
-
File Browser: < 2.55.0 (Fixed in:
2.55.0)
Code Analysis
Commit: 24781ba
fix: prevent username enumeration by using constant time comparison
Changes auth logic to ensure bcrypt is called even if user lookup fails
Exploit Details
- GitHub Security Advisory: Original advisory containing the timing attack logic
Mitigation Strategies
- Implement Constant-Time Authentication Logic
- Enforce strict Rate Limiting on login endpoints
- Use Fail2Ban or similar tools to block IPs with high failure rates
Remediation Steps:
- Stop the File Browser service.
- Download the v2.55.0 binary or pull the latest Docker image.
- Replace the old binary.
- Restart the service.
- Verify the version in the settings menu.
References
Read the full report for CVE-2026-23849 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)