File Browser, OS Command Injection, CVE-2026-54088 (Critical) -DC-Jul2026-871

Listen to this Post

How CVE-2026-54088 Works

The Hook Authentication feature in File Browser allows an administrator to delegate login verification to an external shell command. User-supplied credentials—the username and password entered at the login screen—are directly interpolated into this command string using Go’s `os.Expand` function. This function performs plain text substitution of environment variables like `$USERNAME` and `$PASSWORD` without any sanitization, escaping, or validation.
The vulnerability exists in the `HookAuth.RunCommand` function within auth/hook.go. When a login request is processed, the `envMapping` function retrieves the username and password directly from the HTTP request body. These values are then passed to os.Expand, which substitutes them into the shell command configured by the administrator.
For example, if an administrator configures the hook authentication command as sh -c "test $USERNAME = 'admin'", an attacker can submit a username like ; id. The `os.Expand` function substitutes `$USERNAME` with this payload, resulting in the command sh -c "test ; id = 'admin'". The semicolon (;) terminates the `test` expression, allowing the `id` command to execute. The hash (“) comments out the remainder of the command, preventing a syntax error.
This injection occurs before any authentication takes place, making it a pre-authentication remote code execution (RCE) vulnerability. An unauthenticated attacker can exploit this with a single crafted HTTP request to the login endpoint, without needing any prior access or valid credentials. The command executes with the privileges of the File Browser process, potentially leading to full system compromise.

DailyCVE Form

| Field | Value |

| : | : |

| Platform | File Browser |

| Version | < 2.63.6 |

| Vulnerability | Pre-Auth OS Command Injection |

| Severity | Critical (CVSS 9.3) |

| Date | 2026-06-25 |

| Prediction | Already Patched (2.63.6) |

What Undercode Say: Analytics

  • Exploit Publicly Available: A public proof-of-concept (PoC) exploit repository was indexed on June 12, 2026.
  • EPSS Score: 0.53% (41st percentile).
  • Automatable: Yes.
  • Technical Impact: Partial.
  • CISA Coordinator Analysis: Exploitation is at PoC level, automatable, with partial technical impact.

Bash Command Example:

Exploit payload in the username field
curl -X POST http://target-ip:8080/api/login \
-d '{"username":"; id ","password":"anything"}'

Go Proof of Concept (as provided in the ):

package auth
import (
"os"
"strings"
"testing"
)
func TestPoC_AuthHookInjection(t testing.T) {
a := &HookAuth{
Command: "sh -c $USERNAME",
Cred: hookCred{
Username: "id ; echo injected",
Password: "anything",
},
}
command := strings.Split(a.Command, " ")
envMapping := func(key string) string {
if key == "USERNAME" {
return a.Cred.Username
}
return os.Getenv(key)
}
for i, arg := range command {
if i == 0 {
continue
}
command[bash] = os.Expand(arg, envMapping)
}
// Executes: sh -c "id ; echo injected"
t.Logf("Executing: %v", command)
}

How Exploit: Attack Scenario

  1. Prerequisite: An administrator enables the Hook Authentication feature and sets a command that uses `$USERNAME` or `$PASSWORD` (e.g., sh -c "test $USERNAME = 'admin'").
  2. Attacker Action: An unauthenticated attacker sends a login request (via `curl` or the web UI) with a malicious payload in the username field (e.g., ; id).
  3. Vulnerable Code Execution: The File Browser server processes the request. The `HookAuth.RunCommand` function uses `os.Expand` to substitute the payload into the command string, resulting in sh -c "test ; id = 'admin'".
  4. RCE: The shell executes the injected `id` command (or any other OS command) with the privileges of the File Browser process.

Protection: From This CVE

  • Patch: Upgrade File Browser to version 2.63.6 or later, which contains the fix.
  • Workaround: If an immediate upgrade is not possible, disable the Hook Authentication feature. Removing the hook command configuration eliminates the vulnerable code path entirely.
  • Network Mitigation: Restrict internet-facing access to File Browser instances. Place them behind a firewall or network access controls to limit the attack surface.

Impact

An unauthenticated remote attacker can execute arbitrary OS commands on the server. This is the most severe class of vulnerability in this codebase:
– No authentication required: Exposed to the entire internet if the service is public-facing.
– Single request: No setup, no enumeration, no prior foothold needed.
– Full server compromise: Data exfiltration, persistent backdoor installation, and lateral movement to internal networks are possible.
Any internet-facing File Browser instance with Hook Authentication enabled is fully compromised by a single malformed login attempt.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top