CVE-2026-23849

File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/filebrowser/filebrowser/commit/24781badd413ee20333aba5cce1919d676e01889	Patch
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-43mm-m3h2-3prc	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-01-19 21:15

Updated : 2026-02-03 14:30

NVD link : CVE-2026-23849

Mitre link : CVE-2026-23849

CVE.ORG link : CVE-2026-23849

JSON object : View

Products Affected

filebrowser

filebrowser

CWE

CWE-208

Observable Timing Discrepancy

CWE-203

Observable Discrepancy

{"id": "CVE-2026-23849", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2026-01-19T21:15:51.653", "references": [{"url": "https://github.com/filebrowser/filebrowser/commit/24781badd413ee20333aba5cce1919d676e01889", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-43mm-m3h2-3prc", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-208"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-203"}]}], "descriptions": [{"lang": "en", "value": "File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a \"short-circuit\" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue."}, {"lang": "es", "value": "El Navegador de Archivos proporciona una interfaz de gesti\u00f3n de archivos dentro de un directorio especificado y puede ser utilizado para subir, eliminar, previsualizar, renombrar y editar archivos. Antes de la versi\u00f3n 2.55.0, la funci\u00f3n JSONAuth. Auth contiene un fallo l\u00f3gico que permite a atacantes no autenticados enumerar nombres de usuario v\u00e1lidos midiendo el tiempo de respuesta del endpoint /api/login. La vulnerabilidad existe debido a una evaluaci\u00f3n de 'cortocircuito' en la l\u00f3gica de autenticaci\u00f3n. Cuando un nombre de usuario no se encuentra en la base de datos, la funci\u00f3n devuelve inmediatamente. Sin embargo, si el nombre de usuario s\u00ed existe, el c\u00f3digo procede a verificar la contrase\u00f1a usando bcrypt (users.CheckPwd), que es una operaci\u00f3n computacionalmente costosa dise\u00f1ada para ser lenta. Esta diferencia en la ruta de ejecuci\u00f3n crea una discrepancia de tiempo medible. La versi\u00f3n 2.55.0 contiene un parche para el problema."}], "lastModified": "2026-02-03T14:30:45.250", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "36CB8D4B-1DFD-4F56-81BD-E31B346B0CE5", "versionEndExcluding": "2.55.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}