CVE-2026-54089: Authentication Bypass by Spoofing in File Browser
Vulnerability ID: CVE-2026-54089
CVSS Score: 9.1
Published: 2026-07-10
CVE-2026-54089 is a critical authentication bypass vulnerability in File Browser affecting instances configured with proxy-based authentication. An unauthenticated remote attacker with direct network access can impersonate arbitrary users or register new accounts by spoofing configured HTTP headers.
TL;DR
Unauthenticated network-adjacent or remote attackers can gain full administrative access to File Browser instances by forging identity headers when the service is exposed without a validating reverse proxy.
Technical Details
- CWE ID: CWE-290
- Attack Vector: Network
- CVSS v3.1: 9.1 (Critical)
- EPSS Score: 0.00337
- Exploit Status: None
- KEV Status: Not listed
Affected Systems
- File Browser deployments configured with proxy authentication (auth.method=proxy) that are directly exposed to untrusted networks
-
File Browser: >= 2.0.0-rc.1 (Fixed in:
None)
Mitigation Strategies
- Bind File Browser exclusively to localhost (127.0.0.1) or an internal isolated network.
- Configure the upstream reverse proxy to sanitize, strip, or overwrite incoming client-supplied identity headers.
- Disable proxy authentication if network-level source verification and header sanitation cannot be enforced.
Remediation Steps:
- Verify the configured listen address in File Browser configuration or CLI command line flags (ensure it uses -a 127.0.0.1).
- Inspect the upstream proxy (e.g., Nginx, Traefik) and insert rules to clear client-supplied versions of the designated authentication header.
- Test vulnerability exposure by making a direct curl query to /api/login from an external network segment with the header set to verify it is blocked.
References
- GitHub Security Advisory GHSA-xqp3-jq6g-x3qm
- File Browser Proxy Authentication Code
- File Browser Authentication Endpoint Code
- NVD CVE-2026-54089 Details
Read the full report for CVE-2026-54089 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)