Description

File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue.

INFO

Published Date :

2026-01-19T20:37:29.716Z

Last Modified :

2026-01-20T15:54:36.499Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-23849 vulnerability.

Vendors Products
Filebrowser
  • Filebrowser
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-23849.

URL Resource
https://github.com/filebrowser/filebrowser/commit/24781badd413ee20333aba5cce1919d676e01889 cve-icon cve-icon
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-43mm-m3h2-3prc cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact