DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-7789-65HX-F26W: GHSA-7789-65HX-F26W: Username Enumeration via Authentication Timing Side-Channel in FileBrowser Quantum

#security #cve #cybersecurity #ghsa

GHSA-7789-65HX-F26W: Username Enumeration via Authentication Timing Side-Channel in FileBrowser Quantum

Vulnerability ID: GHSA-7789-65HX-F26W
CVSS Score: 5.3
Published: 2026-03-24

FileBrowser Quantum versions prior to v1.3.2-beta contain a timing side-channel vulnerability in the authentication endpoint. The application processes login requests for valid usernames significantly slower than for invalid usernames due to the conditional execution of the bcrypt hashing algorithm. This discrepancy allows unauthenticated remote attackers to enumerate valid usernames registered on the target system.

TL;DR

A timing side-channel in FileBrowser Quantum's authentication flow allows unauthenticated attackers to enumerate valid usernames by measuring the response latency of login requests.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-208
  • Attack Vector: Network
  • CVSS Score: 5.3
  • Impact: Information Disclosure (Username Enumeration)
  • Exploit Status: Proof of Concept Available
  • KEV Status: Not Listed

Affected Systems

  • FileBrowser Quantum
  • github.com/gtsteffaniak/filebrowser
  • FileBrowser Quantum: < 1.3.2-beta (Fixed in: 1.3.2-beta)

Code Analysis

Commit: af08800

Normalize authentication execution time to fix timing side-channel in login endpoint.

Mitigation Strategies

  • Upgrade FileBrowser Quantum to version v1.3.2-beta or later.
  • Implement strict rate limiting on the /api/auth/login endpoint using a Web Application Firewall (WAF) or reverse proxy.
  • Monitor authentication logs for high volumes of failed logins across diverse usernames originating from a single IP address.

Remediation Steps:

  1. Verify the current version of FileBrowser Quantum running in the environment.
  2. Download the v1.3.2-beta release or pull the latest container image from the official repository.
  3. Deploy the updated version and restart the FileBrowser service.
  4. Perform a test login with a known invalid user and a valid user to confirm response times are uniform.

References

Read the full report for GHSA-7789-65HX-F26W on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)