CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-54089

criticalCVSS 9.1covered by 1 sourcefirst seen 2026-07-10
Summary When FileBrowser is configured with proxy authentication (auth.method=proxy), any unauthenticated attacker who can reach the server directly can impersonate any user - including admin - by sending a single forged HTTP header. No credentials are required. Additionally, specifying a non-existent username causes the server to automatically create a new user account, providing an account creation primitive with no authorization. This is an already known issue that has been documented in the documentation for several years, but has not been documented as a vulnerability before. Severity HIGH - CVSS 3.1: 8.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) Affected Component - File: auth/proxy.go, lines 21-28 - CWE: CWE-287 (Improper Authentication), CWE-290 (Authentication Bypass by Spoofing) - Affected versions: All versions supporting auth.method=proxy Prerequisite: Proxy Auth Must Be Enabled This vulnerability is NOT exploitable on default configuration (auth.method=json). It requires the administrator to have configured proxy authentication mode. However, this is a common production deployment pattern - many organizations run FileBrowser behind a reverse proxy that handles SSO/LDAP/OAuth authentication: - nginx + Authelia / Authentik - Traefik + OAuth2 Proxy - Caddy + forward_auth - Apache + mod_auth_ldap In these setups, the proxy authenticates the user and passes the username via HTTP header (e.g., X-Remote-User). FileBrowser trusts this header to identify the user. | Deployment Scenario | Exploitable? | |---|---| | Default install (auth.method=json) | No — JSON auth uses password verification | | auth.method=proxy + FileBrowser only reachable via proxy (bound to 127.0.0.1 or firewalled) | No - attacker cannot reach the server directly | | auth.method=proxy + FileBrowser port exposed to network | Yes - full admin takeover | The third scenario is common because: - Docker containers publish ports to 0.0.0.0 by default (e.g., -p 8085:80) - Administrators expo

⚡ Watch CVE-2026-54089

Get an email if CVE-2026-54089 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-54089

CVE.org record

Embed the live status

CVE-2026-54089 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-54089 status](https://www.csirts.com/badge/CVE-2026-54089)](https://www.csirts.com/cve/CVE-2026-54089)