Main Vulnerability Database Vulnerabilities #VU125390

#VU125390 Incorrect authorization in FileBrowser - CVE-2026-25890

Published: April 8, 2026

Vulnerability identifier: #VU125390

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-25890

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
FileBrowser

Software vendor:
File Browser

Description

The vulnerability allows a remote user to bypass path-based access controls and access restricted files.

The vulnerability exists due to incorrect authorization in the rule matching logic in rules/rules.go and URL path handling in http/http.go when handling requests with multiple leading slashes in the URL path. A remote user can send a specially crafted request to bypass path-based access controls and access restricted files.

If the user has general write permissions but is restricted from specific directories via rules, the issue can also permit unauthorized renaming, deletion, or modification of files in those directories.

Remediation

Install security update from vendor's website.

External links

https://github.com/filebrowser/filebrowser/security/advisories/GHSA-4mh3-h929-w968

#VU125390 Incorrect authorization in FileBrowser - CVE-2026-25890

Description

Remediation

External links

Please verify you're human