Case-Sensitivity Flaw in File Browser by File Browser Team
CVE-2026-25889

5.4MEDIUM

Key Information:

Vendor

Filebrowser

Status
Filebrowser
Vendor
CVE Published:
9 February 2026

What is CVE-2026-25889?

A case-sensitivity flaw in the password validation logic of File Browser allows any authenticated user to change their password without entering the current password. This issue stems from the misuse of Title Case for the 'Password' field in API requests, which bypasses the verification of 'current_password.' An attacker who has gained valid JWT tokens through cross-site scripting (XSS) or session hijacking can exploit this vulnerability to take over user accounts. The flaw has been addressed in version 2.57.1.

Affected Version(s)

filebrowser < 2.57.1

References

https://github.com/filebrowser/filebrowser/security/advis...
x_refsource_CONFIRM
https://github.com/filebrowser/filebrowser/commit/ff2f004...
x_refsource_MISC
https://github.com/filebrowser/filebrowser/releases/tag/v...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.