CVE-2026-54089
Summary
When FileBrowser is configured with proxy authentication (auth.method=proxy), any unauthenticated attacker who can reach the server directly can impersonate any user - including admin - by sending a single forged HTTP header. No credentials are required. Additionally, specifying a non-existent username causes the server to automatically create a new user account, providing an account creation primitive with no authorization.
This is an already known issue that has been documented in the documentation for several years, but has not been documented as a vulnerability before.
Severity
HIGH - CVSS 3.1: 8.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
Affected Component
- File: auth/proxy.go, lines 21-28
- CWE: CWE-287 (Improper Authentication), CWE-290 (Authentication Bypass by Spoofing)
- Affected versions: All versions supporting auth.method=proxy
Prerequisite: Proxy Auth Must Be Enabled
This vulnerability is NOT exploitable on default configuration (auth.method=json). It requires the administrator to have configured proxy authentication mode. However, this is a common production deployment pattern - many organizations run FileBrowser behind a reverse proxy that handles SSO/LDAP/OAuth authentication:
- nginx + Authelia / Authentik
- Traefik + OAuth2 Proxy
- Caddy + forward_auth
- Apache + mod_auth_ldap
In these setups, the proxy authenticates the user and passes the username via HTTP header (e.g., X-Remote-User). FileBrowser trusts this header to identify the user.
| Deployment Scenario | Exploitable? |
|---|---|
| Default install (auth.method=json) | No — JSON auth uses password verification |
| auth.method=proxy + FileBrowser only reachable via proxy (bound to 127.0.0.1 or firewalled) | No - attacker cannot reach the server directly |
| auth.method=proxy + FileBrowser port exposed to network | Yes - full admin takeover |
The third scenario is common because:
- Docker containers publish ports to 0.0.0.0 by default (e.g., -p 8085:80)
- Administrators expo
⚡ Watch CVE-2026-54089
Get an email if CVE-2026-54089 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.34% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 26% of all EPSS-scored CVEs.
Advisory coverage (1)
- criticalGHSA-xqp3-jq6g-x3qm: File Browser: Authentication Bypass via Proxy Auth Header Forgeryghsa · 2026-07-10
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-54089)