GHSA-xqp3-jq6g-x3qm: File Browser: Authentication Bypass via Proxy Auth Header Forgery
FileBrowser configured with proxy authentication (auth.method=proxy) is vulnerable to an authentication bypass that allows any unauthenticated attacker who can reach the server directly to impersonate any user, including administrators, by sending a forged HTTP header. Additionally, specifying a non-existent username in the header causes the server to automatically create a new user account without authorization. This vulnerability requires proxy authentication mode to be enabled and the FileBrowser server to be directly reachable by the attacker. The issue arises because the server trusts the proxy authentication header without verifying the request origin or credentials.
AI Analysis
Technical Summary
When FileBrowser is configured with proxy authentication, it trusts the HTTP header (e.g., X-Remote-User) set by the proxy to identify the user without verifying the source IP or any shared secret. The ProxyAuth.Auth() function reads the username from the header and returns the corresponding user object without password verification. If the username does not exist, the server automatically creates a new user account. This allows an attacker who can send requests directly to the FileBrowser server to impersonate any user, including admins, or create new accounts without authentication. The vulnerability is not exploitable on default configurations using JSON authentication and requires the server to be exposed directly to the attacker, which is common in some deployment scenarios due to default Docker port publishing or misconfigured network controls.
Potential Impact
An attacker can bypass authentication entirely by forging the proxy authentication header, gaining full access as any user, including administrators. This leads to complete compromise of the FileBrowser instance without needing credentials. Furthermore, the attacker can create new user accounts arbitrarily, providing an unauthorized account creation vector. The vulnerability does not affect default configurations without proxy authentication enabled and requires direct network access to the FileBrowser server port.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, ensure that FileBrowser configured with proxy authentication is not directly accessible to untrusted networks. Restrict access to the FileBrowser server to trusted proxies only, for example by binding to localhost or using firewall rules to limit incoming connections. Do not expose the FileBrowser port publicly or to untrusted internal networks without additional network-level protections. Review deployment configurations to ensure that proxy authentication headers cannot be spoofed by unauthorized clients.
GHSA-xqp3-jq6g-x3qm: File Browser: Authentication Bypass via Proxy Auth Header Forgery
Description
FileBrowser configured with proxy authentication (auth.method=proxy) is vulnerable to an authentication bypass that allows any unauthenticated attacker who can reach the server directly to impersonate any user, including administrators, by sending a forged HTTP header. Additionally, specifying a non-existent username in the header causes the server to automatically create a new user account without authorization. This vulnerability requires proxy authentication mode to be enabled and the FileBrowser server to be directly reachable by the attacker. The issue arises because the server trusts the proxy authentication header without verifying the request origin or credentials.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
When FileBrowser is configured with proxy authentication, it trusts the HTTP header (e.g., X-Remote-User) set by the proxy to identify the user without verifying the source IP or any shared secret. The ProxyAuth.Auth() function reads the username from the header and returns the corresponding user object without password verification. If the username does not exist, the server automatically creates a new user account. This allows an attacker who can send requests directly to the FileBrowser server to impersonate any user, including admins, or create new accounts without authentication. The vulnerability is not exploitable on default configurations using JSON authentication and requires the server to be exposed directly to the attacker, which is common in some deployment scenarios due to default Docker port publishing or misconfigured network controls.
Potential Impact
An attacker can bypass authentication entirely by forging the proxy authentication header, gaining full access as any user, including administrators. This leads to complete compromise of the FileBrowser instance without needing credentials. Furthermore, the attacker can create new user accounts arbitrarily, providing an unauthorized account creation vector. The vulnerability does not affect default configurations without proxy authentication enabled and requires direct network access to the FileBrowser server port.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, ensure that FileBrowser configured with proxy authentication is not directly accessible to untrusted networks. Restrict access to the FileBrowser server to trusted proxies only, for example by binding to localhost or using firewall rules to limit incoming connections. Do not expose the FileBrowser port publicly or to untrusted internal networks without additional network-level protections. Review deployment configurations to ensure that proxy authentication headers cannot be spoofed by unauthorized clients.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-xqp3-jq6g-x3qm
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-54089"]
- Ecosystems
- ["Go"]
- Database Specific Severity
- CRITICAL
- Cvss Version
- 3.1
Threat ID: 6a520eb668715ace438f52e8
Added to database: 07/11/2026, 09:36:54 UTC
Last enriched: 07/11/2026, 09:50:42 UTC
Last updated: 07/11/2026, 10:47:00 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.