CVE-2026-54088
Overview
The Hook Authentication feature in File Browser allows administrators to delegate login verification to an external shell command. User-supplied credentials (username and password) are interpolated into this command string using os.Expand without sanitization. An unauthenticated remote attacker can inject shell metacharacters in the username or password field at the login screen, causing the server to execute arbitrary OS commands before any authentication takes place. This is a critical pre-authentication RCE.
Affected Location
- File: auth/hook.go
- Function: HookAuth.RunCommand
CVSS v4.0
| Metric | Value | Rationale |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitable via the login endpoint over HTTP from any network |
| Attack Complexity (AC) | Low (L) | Single crafted HTTP request; no preparation needed |
| Attack Requirements (AT) | None (N) | No race condition or special timing required |
| Privileges Required (PR) | None (N) | No account required — pre-authentication attack |
| User Interaction (UI) | None (N) | Fully automated; no victim action needed |
| Vulnerable System Confidentiality (VC) | High (H) | Full read access to server filesystem and env |
| Vulnerable System Integrity (VI) | High (H) | Arbitrary file write/modification |
| Vulnerable System Availability (VA) | High (H) | Can kill processes, exhaust resources |
| Subsequent System Confidentiality (SC) | None (N) | No direct impact on downstream systems assumed |
| Subsequent System Integrity (SI) | None (N) | — |
| Subsequent System Availability (SA) | None (N) | — |
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Base Score: 9.3 (Critical)
Note: PR:None is the critical differentiator from vulnerabilities 01 and 02. Because the injection point is the unauthenticated login endpoint, no account or session is required. A single HTTP request to the login API is sufficient to achieve RCE.
CWE
| ID | Name | Role |
|---|---|---|
| CWE-78 |
⚡ Watch CVE-2026-54088
Get an email if CVE-2026-54088 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.53% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 41% of all EPSS-scored CVEs.
Advisory coverage (1)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-54088)