CVE-2026-54088: Pre-Authentication Remote Code Execution in File Browser Hook Authentication
Vulnerability ID: CVE-2026-54088
CVSS Score: 9.3
Published: 2026-07-10
CVE-2026-54088 is a critical command injection vulnerability in File Browser prior to version 2.63.6. When Hook Authentication is enabled, the application interpolates unsanitized credentials into a shell command, allowing unauthenticated remote code execution.
TL;DR
Unauthenticated remote command execution vulnerability in File Browser's Hook Authentication feature via unsanitized username/password inputs.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-78
- Attack Vector: Network (AV:N)
- CVSS Score: 9.3 (Critical)
- EPSS Score: 0.00533 (Percentile: 41.19%)
- Impact: Pre-Authentication Remote Code Execution
- Exploit Status: Public Proof-of-Concept Available
- CISA KEV Status: Not Listed
Affected Systems
- File Browser (all deployments using Hook Authentication prior to 2.63.6)
-
filebrowser: < 2.63.6 (Fixed in:
2.63.6)
Code Analysis
Commit: 34ae34e
Fix command injection in Hook Authentication by removing os.Expand
Exploit Details
- GitHub: Proof of Concept exploit for CVE-2026-54088
Mitigation Strategies
- Upgrade File Browser to version 2.63.6 or later.
- Disable Hook Authentication and fall back to local database authentication.
- Deploy Web Application Firewall (WAF) rules to inspect login payloads.
Remediation Steps:
- Identify running File Browser instances and check current versions.
- Pull and deploy the patched version (v2.63.6 or higher).
- If immediate patching is impossible, disable the Hook Auth feature via configuration.
- Verify the vulnerability is resolved by testing with safe canary injection attempts.
References
- NVD - CVE-2026-54088
- CVE - CVE-2026-54088
- File Browser v2.63.5 Vulnerable auth/hook.go Source Code
- Saku0512 Public PoC Repository
Read the full report for CVE-2026-54088 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)