HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-54089Published Modified CNA GitHub_M

CVE-2026-54089: File Browser: Authentication Bypass via Proxy Auth Header Forgery

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with 2.0.0-rc.1, when FileBrowser is configured with proxy authentication (auth.method=proxy), any unauthenticated attacker who can reach the server directly can impersonate any user - including admin - by sending a single forged HTTP header. No credentials are required. Additionally, specifying a non-existent username causes the server to automatically create a new user account, providing an account creation primitive with no authorization. This is an already known issue that has been documented in the documentation for several years, but has not been documented as a vulnerability before.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Authentication bypass in File Browser (filebrowser/filebrowser versions 2.0.0-rc.1 and later) allows any unauthenticated attacker who can reach the server over the network to impersonate any user, including administrators, by forging a single HTTP header. No credentials are needed. Successful exploitation gives the attacker full read and write access to all files managed by the instance, and a secondary primitive lets the attacker create arbitrary new user accounts with no authorization. HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle File Browser. Environments running any affected version (>= 2.0.0-rc.1) are flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 9.1 (Critical) and makes that score available in every affected environment's findings dashboard, weighted against each customer org's compliance policy to determine queue priority. Routing rules inside each customer org direct the finding to the appropriate team inbox based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix lands. In the interim, customers can apply compensating controls through HarborGuard's network-policy recommendations to restrict direct access to File Browser instances that rely on proxy authentication.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to send an HTTP request directly to the File Browser server over the network; any internet-exposed or internally reachable instance is in scope.

  • AuthenticationNot required

    No credentials of any kind are needed; the attacker forges a single HTTP header value to impersonate any account, including admin.

  • Victim interactionNot required

    The attack is fully server-side; no user needs to click a link, open a file, or take any action for exploitation to succeed.

  • Attack complexityDetail

    The exploit is reliable and condition-free: sending one crafted HTTP header is sufficient with no race conditions or environment-specific prerequisites.

Blast Radius

  • Reads, downloads, or exfiltrates any file accessible through the File Browser instance, including all files in the configured managed directory.
  • Uploads, modifies, deletes, or overwrites files in the managed directory, enabling persistent tampering or destruction of stored data.
  • Creates arbitrary new user accounts with no authorization, establishing persistent footholds that survive a password reset on the original admin account.
  • Gains full administrative control of the File Browser instance by impersonating the admin user, including changing configuration and managing existing user accounts.

How HarborGuard Handles This

Available on HarborGuard: because no fix version has been published for CVE-2026-54089, HarborGuard continuously re-checks the upstream advisory on every ingest cycle and will surface a patched-image rebuild the moment filebrowser ships a remediated release. For environments with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point. In the meantime, HarborGuard's network-policy recommendations can be used to isolate File Browser instances behind a trusted reverse proxy that strips or controls the forged header before requests reach the application, and egress filtering can limit the blast radius if a host is already compromised. Customers are strongly advised to review whether any deployed File Browser images use auth.method=proxy with direct external exposure, and to apply network-level access controls until an upstream patch is available.

See how HarborGuard automates this
Affected packages
  • filebrowser / filebrowser
    >= 2.0.0-rc.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References