SB2026060821 - Insufficient Session Expiration in FileBrowser

Description

This security bulletin contains information about 1 vulnerability.

1) Insufficient Session Expiration (CVE-ID: CVE-2025-53826)

CWE-ID: CWE-613 - Insufficient Session Expiration

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to bypass logout and retain access to authenticated functionality.

The vulnerability exists due to insufficient session expiration in JWT token handling in the authentication system when processing requests with previously issued JWT tokens after logout. A remote user can replay a previously issued token to bypass logout and retain access to authenticated functionality.

The issue occurs because logout does not invalidate already issued JWTs, and the tokens remain usable until they expire naturally.

Remediation

Install update from vendor's website.

References

• https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7xwp-2cpp-p8r7
• https://github.com/filebrowser/filebrowser/blob/master/http/auth.go