Unauthorized User Impersonation in File Browser by FileBrowser
CVE-2026-54089

9.1CRITICAL

Key Information:

Vendor

Filebrowser

Status
Filebrowser
Vendor
CVE Published:
25 June 2026

What is CVE-2026-54089?

The File Browser application, starting from version 2.0.0-rc.1, contains a vulnerability that allows unauthenticated attackers to impersonate any user, including admins. This can be achieved by sending a specially crafted HTTP header when the application is configured with proxy authentication. Additionally, entering a non-existent username can lead to the automatic creation of a new user account on the server without any authorization checks. This long-standing issue has been documented but not formally classified as a vulnerability until now.

Affected Version(s)

filebrowser >= 2.0.0-rc.1

References

https://github.com/filebrowser/filebrowser/security/advis...
x_refsource_CONFIRM
https://github.com/filebrowser/filebrowser/blob/main/auth...
x_refsource_MISC
https://github.com/filebrowser/filebrowser/blob/main/http...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.