Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-xqp3-jq6g-x3qm: File Browser: Authentication Bypass via Proxy Auth Header Forgery

0
Critical
Published: 07/10/2026 (07/10/2026, 19:27:13 UTC)
Source: GCVE Database
Product: github.com/filebrowser/filebrowser/v2

Description

FileBrowser configured with proxy authentication (auth.method=proxy) is vulnerable to an authentication bypass that allows any unauthenticated attacker who can reach the server directly to impersonate any user, including administrators, by sending a forged HTTP header. Additionally, specifying a non-existent username in the header causes the server to automatically create a new user account without authorization. This vulnerability requires proxy authentication mode to be enabled and the FileBrowser server to be directly reachable by the attacker. The issue arises because the server trusts the proxy authentication header without verifying the request origin or credentials.

CVSS v3.1

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected software

Goghsa
github.com/filebrowser/filebrowser/v2
Affected versions
>=2.0.0-rc.1 <=2.63.18

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/11/2026, 09:50:42 UTC

Technical Analysis

When FileBrowser is configured with proxy authentication, it trusts the HTTP header (e.g., X-Remote-User) set by the proxy to identify the user without verifying the source IP or any shared secret. The ProxyAuth.Auth() function reads the username from the header and returns the corresponding user object without password verification. If the username does not exist, the server automatically creates a new user account. This allows an attacker who can send requests directly to the FileBrowser server to impersonate any user, including admins, or create new accounts without authentication. The vulnerability is not exploitable on default configurations using JSON authentication and requires the server to be exposed directly to the attacker, which is common in some deployment scenarios due to default Docker port publishing or misconfigured network controls.

Potential Impact

An attacker can bypass authentication entirely by forging the proxy authentication header, gaining full access as any user, including administrators. This leads to complete compromise of the FileBrowser instance without needing credentials. Furthermore, the attacker can create new user accounts arbitrarily, providing an unauthorized account creation vector. The vulnerability does not affect default configurations without proxy authentication enabled and requires direct network access to the FileBrowser server port.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, ensure that FileBrowser configured with proxy authentication is not directly accessible to untrusted networks. Restrict access to the FileBrowser server to trusted proxies only, for example by binding to localhost or using firewall rules to limit incoming connections. Do not expose the FileBrowser port publicly or to untrusted internal networks without additional network-level protections. Review deployment configurations to ensure that proxy authentication headers cannot be spoofed by unauthorized clients.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-xqp3-jq6g-x3qm
Osv Schema Version
1.4.0
Aliases
["CVE-2026-54089"]
Ecosystems
["Go"]
Database Specific Severity
CRITICAL
Cvss Version
3.1

Threat ID: 6a520eb668715ace438f52e8

Added to database: 07/11/2026, 09:36:54 UTC

Last enriched: 07/11/2026, 09:50:42 UTC

Last updated: 07/11/2026, 10:47:00 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses