GHSA-xqp3-jq6g-x3qm: File Browser: Authentication Bypass via Proxy Auth Header Forgery
Summary
When FileBrowser is configured with proxy authentication (auth.method=proxy), any unauthenticated attacker who can reach the server directly can impersonate any user - including admin - by sending a single forged HTTP header. No credentials are required. Additionally, specifying a non-existent username causes the server to automatically create a new user account, providing an account creation primitive with no authorization.
This is an already known issue that has been documented in the documentation for several years, but has not been documented as a vulnerability before.
Severity
HIGH - CVSS 3.1: 8.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
Affected Component
- File: auth/proxy.go, lines 21-28
- CWE: CWE-287 (Improper Authentication), CWE-290 (Authentication Bypass by Spoofing)
- Affected versions: All versions supporting auth.method=proxy
Prerequisite: Proxy Auth Must Be Enabled
This vulnerability is NOT exploitable on default configuration (auth.method=json). It requires the administrator to have configured proxy authentication mode. However, this is a common production deployment pattern - many organizations run FileBrowser behind a reverse proxy that handles SSO/LDAP/OAuth authentication:
- nginx + Authelia / Authentik
- Traefik + OAuth2 Proxy
- Caddy + forward_auth
- Apache + mod_auth_ldap
In these setups, the proxy authenticates the user and passes the username via HTTP header (e.g., X-Remote-User). FileBrowser trusts this header to identify the user.
| Deployment Scenario | Exploitable? |
|---|---|
| Default install (auth.method=json) | No — JSON auth uses password verification |
| auth.method=proxy + FileBrowser only reachable via proxy (bound to 127.0.0.1 or firewalled) | No - attacker cannot reach the server directly |
| auth.method=proxy + FileBrowser port exposed to network | Yes - full admin takeover |
The third scenario is common because:
- Docker containers publish ports to 0.0.0.0 by default (e.g., -p 8085:80)
- Administrators expo
Details
Original advisory: https://github.com/advisories/GHSA-xqp3-jq6g-x3qm
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-540890.34% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 26% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-54089 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10