Main Vulnerability Database Vulnerabilities #VU125389

#VU125389 Improper Handling of Case Sensitivity in FileBrowser - CVE-2026-25889

Published: April 8, 2026

Vulnerability identifier: #VU125389

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-25889

CWE-ID: CWE-178

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
FileBrowser

Software vendor:
File Browser

Description

The vulnerability allows a remote user to bypass current password verification and change a user's password.

The vulnerability exists due to improper handling of case sensitivity in the userPutHandler function in http/users.go when processing password update API requests. A remote user can send a specially crafted request using the Title Case field name "Password" to bypass current password verification and change a user's password.

The issue affects instances using the JSON authentication method, and administrators can use the same bypass to change any user's password.

Remediation

Install security update from vendor's website.

External links

https://github.com/filebrowser/filebrowser/security/advisories/GHSA-hxw8-4h9j-hq2r

#VU125389 Improper Handling of Case Sensitivity in FileBrowser - CVE-2026-25889

Description

Remediation

External links

Please verify you're human