CVE-2026-23849
📋 TL;DR
This CVE describes a timing attack vulnerability in File Browser's authentication mechanism that allows unauthenticated attackers to enumerate valid usernames by measuring response time differences. The vulnerability affects File Browser installations prior to version 2.55.0. Attackers can use this information to facilitate credential stuffing or targeted brute-force attacks.
💻 Affected Systems
- File Browser
📦 What is this software?
Filebrowser by Filebrowser
⚠️ Risk & Real-World Impact
Worst Case
Attackers enumerate all valid usernames, then perform targeted password attacks leading to unauthorized access to the file management system and potential data exposure or manipulation.
Likely Case
Attackers enumerate some valid usernames, increasing the efficiency of subsequent brute-force or credential stuffing attacks against the identified accounts.
If Mitigated
With rate limiting and strong password policies, attackers may only enumerate a few usernames before being blocked, limiting the attack's effectiveness.
🎯 Exploit Status
The exploit requires sending multiple authentication requests and measuring response times, which can be automated with simple scripts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.55.0
Vendor Advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-43mm-m3h2-3prc
Restart Required: Yes
Instructions:
1. Backup your configuration and data. 2. Stop the File Browser service. 3. Update to version 2.55.0 or later using your package manager or by downloading from GitHub. 4. Restart the File Browser service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Implement Rate Limiting
allConfigure rate limiting on the /api/login endpoint to slow down timing attacks
# Configure via reverse proxy (nginx example):
location /api/login {
limit_req zone=login burst=5 nodelay;
limit_req_status 429;
}
Use External Authentication
allDisable built-in authentication and use external authentication methods like OAuth or LDAP
# In filebrowser.json:
{
"auth": {
"method": "oauth2"
}
}
🧯 If You Can't Patch
- Implement network-level controls to restrict access to the File Browser instance
- Enable comprehensive logging and monitoring for authentication attempts
🔍 How to Verify
Check if Vulnerable:
Check if File Browser version is below 2.55.0 by accessing the web interface or checking the running process versionCheck Version:
filebrowser versionVerify Fix Applied:
Verify the installed version is 2.55.0 or higher and test that authentication responses have consistent timing regardless of username validity📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts with different usernames from same source
- Unusual pattern of authentication requests with consistent timing intervals
Network Indicators:
- High volume of POST requests to /api/login endpoint
- Requests with varying usernames but no password attempts
SIEM Query:
source="filebrowser" AND (url="/api/login" AND status=401) | stats count by src_ip, username