CVE-2026-54089
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk26th percentile — higher than 26% of all known CVEs
Summary
File Browser is a file management interface that, starting from version 2.0.0-rc.1, allows unauthenticated attackers to impersonate users, including admins, by sending a forged HTTP header. No credentials are required to gain access.
Risk Assessment
The organization is at serious risk as an attacker can gain full access to the system, including the ability to create new user accounts without authorization. This poses a potential threat to the integrity and confidentiality of data.
Recommendation
It is recommended to immediately update File Browser to the latest version that fixes this vulnerability and to implement additional security measures, such as restricting server access to authorized users only.
Original NVD description (English source)
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with 2.0.0-rc.1, when FileBrowser is configured with proxy authentication (auth.method=proxy), any unauthenticated attacker who can reach the server directly can impersonate any user - including admin - by sending a single forged HTTP header. No credentials are required. Additionally, specifying a non-existent username causes the server to automatically create a new user account, providing an account creation primitive with no authorization. This is an already known issue that has been documented in the documentation for several years, but has not been documented as a vulnerability before.

