CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-xqp3-jq6g-x3qm: File Browser: Authentication Bypass via Proxy Auth Header Forgery

criticalCVSS 9.1CVE-2026-54089
Summary When FileBrowser is configured with proxy authentication (auth.method=proxy), any unauthenticated attacker who can reach the server directly can impersonate any user - including admin - by sending a single forged HTTP header. No credentials are required. Additionally, specifying a non-existent username causes the server to automatically create a new user account, providing an account creation primitive with no authorization. This is an already known issue that has been documented in the documentation for several years, but has not been documented as a vulnerability before. Severity HIGH - CVSS 3.1: 8.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) Affected Component - File: auth/proxy.go, lines 21-28 - CWE: CWE-287 (Improper Authentication), CWE-290 (Authentication Bypass by Spoofing) - Affected versions: All versions supporting auth.method=proxy Prerequisite: Proxy Auth Must Be Enabled This vulnerability is NOT exploitable on default configuration (auth.method=json). It requires the administrator to have configured proxy authentication mode. However, this is a common production deployment pattern - many organizations run FileBrowser behind a reverse proxy that handles SSO/LDAP/OAuth authentication: - nginx + Authelia / Authentik - Traefik + OAuth2 Proxy - Caddy + forward_auth - Apache + mod_auth_ldap In these setups, the proxy authenticates the user and passes the username via HTTP header (e.g., X-Remote-User). FileBrowser trusts this header to identify the user. | Deployment Scenario | Exploitable? | |---|---| | Default install (auth.method=json) | No — JSON auth uses password verification | | auth.method=proxy + FileBrowser only reachable via proxy (bound to 127.0.0.1 or firewalled) | No - attacker cannot reach the server directly | | auth.method=proxy + FileBrowser port exposed to network | Yes - full admin takeover | The third scenario is common because: - Docker containers publish ports to 0.0.0.0 by default (e.g., -p 8085:80) - Administrators expo

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
critical — CVSS 9.1
Published
2026-07-10
Last updated
2026-07-10
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-xqp3-jq6g-x3qm

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-54089coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories