Incorrect authorization in FileBrowser - CVE-2026-25890
Published: April 8, 2026
Vulnerability identifier: #VU125390
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-25890
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: File Browser
Affected software:
FileBrowser
FileBrowser
Detailed vulnerability description
The vulnerability allows a remote user to bypass path-based access controls and access restricted files.
The vulnerability exists due to incorrect authorization in the rule matching logic in rules/rules.go and URL path handling in http/http.go when handling requests with multiple leading slashes in the URL path. A remote user can send a specially crafted request to bypass path-based access controls and access restricted files.
If the user has general write permissions but is restricted from specific directories via rules, the issue can also permit unauthorized renaming, deletion, or modification of files in those directories.
How to mitigate CVE-2026-25890
Install security update from vendor's website.