Insufficient Session Expiration in FileBrowser - CVE-2025-53826
Published: June 8, 2026
Vulnerability identifier: #VU133478
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-53826
CWE-ID: CWE-613
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: File Browser
Affected software:
FileBrowser
FileBrowser
Detailed vulnerability description
The vulnerability allows a remote user to bypass logout and retain access to authenticated functionality.
The vulnerability exists due to insufficient session expiration in JWT token handling in the authentication system when processing requests with previously issued JWT tokens after logout. A remote user can replay a previously issued token to bypass logout and retain access to authenticated functionality.
The issue occurs because logout does not invalidate already issued JWTs, and the tokens remain usable until they expire naturally.
How to mitigate CVE-2025-53826
Install security update from vendor's website.