CVE Catalog

CVE-2026-54089

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.34%

26th percentile — higher than 26% of all known CVEs

Summary

File Browser is a file management interface that, starting from version 2.0.0-rc.1, allows unauthenticated attackers to impersonate users, including admins, by sending a forged HTTP header. No credentials are required to gain access.

Risk Assessment

The organization is at serious risk as an attacker can gain full access to the system, including the ability to create new user accounts without authorization. This poses a potential threat to the integrity and confidentiality of data.

Recommendation

It is recommended to immediately update File Browser to the latest version that fixes this vulnerability and to implement additional security measures, such as restricting server access to authorized users only.

Original NVD description (English source)

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with 2.0.0-rc.1, when FileBrowser is configured with proxy authentication (auth.method=proxy), any unauthenticated attacker who can reach the server directly can impersonate any user - including admin - by sending a single forged HTTP header. No credentials are required. Additionally, specifying a non-existent username causes the server to automatically create a new user account, providing an account creation primitive with no authorization. This is an already known issue that has been documented in the documentation for several years, but has not been documented as a vulnerability before.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS