DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25889: Case Sensitive, Security Insensitive: Bypassing Auth in File Browser

#security #cve #cybersecurity

Case Sensitive, Security Insensitive: Bypassing Auth in File Browser

Vulnerability ID: CVE-2026-25889
CVSS Score: 5.4
Published: 2026-02-10

File Browser, the beloved Swiss Army knife for self-hosted file management, suffered from a classic logic error: it forgot that 'Password' and 'password' are not the same thing in the eyes of a Go map. This vulnerability allows an authenticated user (or an attacker with a hijacked session) to change their password—or potentially others—without knowing the current password, effectively bypassing the application's account takeover protection mechanism. It's a textbook example of how a single capital letter can dismantle an entire security check.

TL;DR

A case-sensitivity flaw in File Browser's user update logic allows attackers to bypass the 'current password' requirement when changing credentials. By sending 'Password' (Title Case) instead of 'password' (lowercase) in the API request, the security check is skipped, but the password update still succeeds. Fixed in version 2.57.1.

⚠️ Exploit Status: POC

Technical Details

  • CVE ID: CVE-2026-25889
  • CVSS: 5.4 (Medium)
  • CWE: CWE-178 (Improper Handling of Case Sensitivity)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
  • Attack Vector: Network (API)
  • Patch Commit: ff2f00498cff151e2fb1f5f0b16963bf33c3d6d4

Affected Systems

  • File Browser (Go)
  • File Browser: < 2.57.1 (Fixed in: 2.57.1)

Code Analysis

Commit: ff2f004

fix: prevent sensitive field modification bypass by lowercasing field names

--- a/http/users.go
+++ b/http/users.go
@@ -191,7 +191,7 @@
        }

        for _, field := range req.Which {
-           if _, ok := sensibleFields[field]; ok {
+           if _, ok := sensibleFields[strings.ToLower(field)]; ok {
                if !users.CheckPwd(req.CurrentPassword, d.user.Password) {
                    return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
                }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Analysis: Exploit logic derived from patch diff and advisory description.

Mitigation Strategies

  • Input Normalization: Always normalize user input (lowercase/uppercase) before performing security-critical lookups.
  • Strict Data Binding: Use strict JSON decoding that rejects unknown fields or case mismatches to prevent 'shadow' fields from being processed.
  • Principle of Least Privilege: Ensure API endpoints that modify credentials always require re-authentication, regardless of which fields are claimed to be modified.

Remediation Steps:

  1. Upgrade File Browser to version 2.57.1 or later immediately.
  2. If immediate upgrading is not possible, place the File Browser instance behind a WAF that blocks requests containing the string "Password" or "Perm" in the JSON body of PUT requests.
  3. Rotate all user passwords if you suspect unauthorized access has occurred.

References

Read the full report for CVE-2026-25889 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)