HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-54088Published Modified CNA GitHub_M

CVE-2026-54088: File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE)

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, the Hook Authentication feature in File Browser allows administrators to delegate login verification to an external shell command. User-supplied credentials (username and password) are interpolated into this command string using os.Expand without sanitization. An unauthenticated remote attacker can inject shell metacharacters in the username or password field at the login screen, causing the server to execute arbitrary OS commands before any authentication takes place. This is a critical pre-authentication RCE. This vulnerability is fixed in 2.63.6.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a command injection vulnerability in File Browser, a web-based file management interface. An unauthenticated remote attacker can send crafted username or password values containing shell metacharacters to the login endpoint; the server passes those values unsanitized into an OS command string via the Hook Authentication feature, executing arbitrary commands before any login check runs. Successful exploitation gives the attacker full remote code execution on the host running File Browser. No patched release has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images and pipeline builds, including custom-built images that bundle File Browser. Any image found to contain an affected version of filebrowser is flagged immediately.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.3 Critical and weighting it against each environment's compliance policy to determine urgency and escalation path. Routing to the appropriate team inbox within each customer organization is available as soon as the match is confirmed.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment version 2.63.6 or later is released. In the interim, customers can use HarborGuard's compensating-control workflow to apply network-policy isolation or flag the affected images for manual review.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the File Browser login endpoint over the network; the vulnerable code path is exposed on the HTTP/HTTPS interface without any prior connection filtering.

  • AuthenticationNot required

    No credentials or account of any kind are needed; the injection occurs in the unauthenticated login request itself, before any credential check runs.

  • Victim interactionNot required

    No user action is required; the attacker sends a crafted HTTP request directly to the server and the command executes automatically.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; the attacker simply includes shell metacharacters in a standard login request with no need to time a race condition or satisfy environmental prerequisites.

Blast Radius

  • The attacker executes arbitrary OS commands as the user running the File Browser process, with full access to the underlying shell environment.
  • All files within the directory served by File Browser are readable and writable, including any secrets, configuration files, or uploaded user data stored there.
  • The attacker can write to or delete any file the server process can reach, corrupting data or planting backdoors on the host filesystem.
  • The server process and any services reachable from it can be terminated or manipulated, causing a full service outage for File Browser and any dependent workflows.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-54088 is active and matches against all customer images containing an affected filebrowser build, including internally constructed images. Because no upstream fix exists at this time, HarborGuard monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment the maintainers publish a fixed release. While no patch is available, customers are encouraged to use HarborGuard's network-policy isolation controls to restrict inbound access to File Browser instances to trusted source ranges only, and to consider disabling the Hook Authentication feature via feature-flag or configuration change if it is not operationally required. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a PR opened against affected workloads will be triggered automatically once an upstream fix version is confirmed.

See how HarborGuard automates this
Affected packages
  • filebrowser / filebrowser
    < 2.63.6
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References