{"api_version":"1","generated_at":"2026-06-26T02:49:15+00:00","cve":"CVE-2026-54089","urls":{"html":"https://cve.report/CVE-2026-54089","api":"https://cve.report/api/cve/CVE-2026-54089.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-54089","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-54089"},"summary":{"title":"File Browser: Authentication Bypass via Proxy Auth Header Forgery","description":"File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with 2.0.0-rc.1, when FileBrowser is configured with proxy authentication (auth.method=proxy), any unauthenticated attacker who can reach the server directly can impersonate any user - including admin - by sending a single forged HTTP header. No credentials are required. Additionally, specifying a non-existent username causes the server to automatically create a new user account, providing an account creation primitive with no authorization. This is an already known issue that has been documented in the documentation for several years, but has not been documented as a vulnerability before.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-06-25 19:16:40","updated_at":"2026-06-25 19:58:30"},"problem_types":["CWE-287","CWE-290","CWE-287 CWE-287: Improper Authentication","CWE-290 CWE-290: Authentication Bypass by Spoofing"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"9.1","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"9.1","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/filebrowser/filebrowser/blob/main/http/auth.go#L121-L137","name":"https://github.com/filebrowser/filebrowser/blob/main/http/auth.go#L121-L137","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xqp3-jq6g-x3qm","name":"https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xqp3-jq6g-x3qm","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/filebrowser/filebrowser/blob/main/auth/proxy.go","name":"https://github.com/filebrowser/filebrowser/blob/main/auth/proxy.go","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-54089","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-54089","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"filebrowser","product":"filebrowser","version":"affected >= 2.0.0-rc.1","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-54089","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-06-25T18:33:12.379285Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-25T18:33:37.531Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["exploit"],"url":"https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xqp3-jq6g-x3qm"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"filebrowser","vendor":"filebrowser","versions":[{"status":"affected","version":">= 2.0.0-rc.1"}]}],"descriptions":[{"lang":"en","value":"File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with 2.0.0-rc.1, when FileBrowser is configured with proxy authentication (auth.method=proxy), any unauthenticated attacker who can reach the server directly can impersonate any user - including admin - by sending a single forged HTTP header. No credentials are required. Additionally, specifying a non-existent username causes the server to automatically create a new user account, providing an account creation primitive with no authorization. This is an already known issue that has been documented in the documentation for several years, but has not been documented as a vulnerability before."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-287","description":"CWE-287: Improper Authentication","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-290","description":"CWE-290: Authentication Bypass by Spoofing","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-25T17:46:13.119Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xqp3-jq6g-x3qm","tags":["x_refsource_CONFIRM"],"url":"https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xqp3-jq6g-x3qm"},{"name":"https://github.com/filebrowser/filebrowser/blob/main/auth/proxy.go","tags":["x_refsource_MISC"],"url":"https://github.com/filebrowser/filebrowser/blob/main/auth/proxy.go"},{"name":"https://github.com/filebrowser/filebrowser/blob/main/http/auth.go#L121-L137","tags":["x_refsource_MISC"],"url":"https://github.com/filebrowser/filebrowser/blob/main/http/auth.go#L121-L137"}],"source":{"advisory":"GHSA-xqp3-jq6g-x3qm","discovery":"UNKNOWN"},"title":"File Browser: Authentication Bypass via Proxy Auth Header Forgery"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-54089","datePublished":"2026-06-25T17:46:13.119Z","dateReserved":"2026-06-11T18:44:47.761Z","dateUpdated":"2026-06-25T18:33:37.531Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-25 19:16:40","lastModifiedDate":"2026-06-25 19:58:30","problem_types":["CWE-287","CWE-290","CWE-287 CWE-287: Improper Authentication","CWE-290 CWE-290: Authentication Bypass by Spoofing"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.2}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-25T18:33:12.379285Z","id":"CVE-2026-54089","options":[{"exploitation":"poc"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"54089","Ordinal":"1","Title":"File Browser: Authentication Bypass via Proxy Auth Header Forger","CVE":"CVE-2026-54089","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"54089","Ordinal":"1","NoteData":"File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with 2.0.0-rc.1, when FileBrowser is configured with proxy authentication (auth.method=proxy), any unauthenticated attacker who can reach the server directly can impersonate any user - including admin - by sending a single forged HTTP header. No credentials are required. Additionally, specifying a non-existent username causes the server to automatically create a new user account, providing an account creation primitive with no authorization. This is an already known issue that has been documented in the documentation for several years, but has not been documented as a vulnerability before.","Type":"Description","Title":"File Browser: Authentication Bypass via Proxy Auth Header Forger"}]}}}