SB20260408132 - Multiple vulnerabilities in FileBrowser

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Handling of Case Sensitivity (CVE-ID: CVE-2026-25889)

The vulnerability allows a remote user to bypass current password verification and change a user's password.

The vulnerability exists due to improper handling of case sensitivity in the userPutHandler function in http/users.go when processing password update API requests. A remote user can send a specially crafted request using the Title Case field name "Password" to bypass current password verification and change a user's password.

The issue affects instances using the JSON authentication method, and administrators can use the same bypass to change any user's password.

2) Incorrect authorization (CVE-ID: CVE-2026-25890)

The vulnerability allows a remote user to bypass path-based access controls and access restricted files.

The vulnerability exists due to incorrect authorization in the rule matching logic in rules/rules.go and URL path handling in http/http.go when handling requests with multiple leading slashes in the URL path. A remote user can send a specially crafted request to bypass path-based access controls and access restricted files.

If the user has general write permissions but is restricted from specific directories via rules, the issue can also permit unauthorized renaming, deletion, or modification of files in those directories.

Remediation

Install update from vendor's website.

References

• https://github.com/filebrowser/filebrowser/security/advisories/GHSA-hxw8-4h9j-hq2r
• https://github.com/filebrowser/filebrowser/security/advisories/GHSA-4mh3-h929-w968