FKIE_CVE-2026-23849

Vulnerability from fkie_nvd - Published: 2026-01-19 21:15 - Updated: 2026-02-03 14:30
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue.
References
security-advisories@github.comhttps://github.com/filebrowser/filebrowser/commit/24781badd413ee20333aba5cce1919d676e01889Patch
security-advisories@github.comhttps://github.com/filebrowser/filebrowser/security/advisories/GHSA-43mm-m3h2-3prcExploit, Vendor Advisory
Impacted products
Vendor Product Version
filebrowser filebrowser *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "36CB8D4B-1DFD-4F56-81BD-E31B346B0CE5",
              "versionEndExcluding": "2.55.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a \"short-circuit\" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue."
    },
    {
      "lang": "es",
      "value": "El Navegador de Archivos proporciona una interfaz de gesti\u00f3n de archivos dentro de un directorio especificado y puede ser utilizado para subir, eliminar, previsualizar, renombrar y editar archivos. Antes de la versi\u00f3n 2.55.0, la funci\u00f3n JSONAuth. Auth contiene un fallo l\u00f3gico que permite a atacantes no autenticados enumerar nombres de usuario v\u00e1lidos midiendo el tiempo de respuesta del endpoint /api/login. La vulnerabilidad existe debido a una evaluaci\u00f3n de \u0027cortocircuito\u0027 en la l\u00f3gica de autenticaci\u00f3n. Cuando un nombre de usuario no se encuentra en la base de datos, la funci\u00f3n devuelve inmediatamente. Sin embargo, si el nombre de usuario s\u00ed existe, el c\u00f3digo procede a verificar la contrase\u00f1a usando bcrypt (users.CheckPwd), que es una operaci\u00f3n computacionalmente costosa dise\u00f1ada para ser lenta. Esta diferencia en la ruta de ejecuci\u00f3n crea una discrepancia de tiempo medible. La versi\u00f3n 2.55.0 contiene un parche para el problema."
    }
  ],
  "id": "CVE-2026-23849",
  "lastModified": "2026-02-03T14:30:45.250",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-19T21:15:51.653",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/filebrowser/filebrowser/commit/24781badd413ee20333aba5cce1919d676e01889"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-43mm-m3h2-3prc"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-208"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-203"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.