CVE-2026-25889 – A case-sensitivity flaw in File Browser's passw... (How to Fix)

Q: What is the severity of CVE-2026-25889?

CVE-2026-25889 has a CVSS score of 5.4 (MEDIUM). A case-sensitivity flaw in File Browser's password validation allows authenticated users to change passwords without providing the current password. By using 'Password' instead of 'password' in API requests, attackers can bypass verification and take over accounts. This affects all File Browser instances prior to version 2.57.1.

📋 TL;DR

A case-sensitivity flaw in File Browser's password validation allows authenticated users to change passwords without providing the current password. By using 'Password' instead of 'password' in API requests, attackers can bypass verification and take over accounts. This affects all File Browser instances prior to version 2.57.1.

💻 Affected Systems

Products:

File Browser

Versions: All versions prior to 2.57.1

Operating Systems: All platforms running File Browser

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all configurations where password change functionality is enabled (default).

📦 What is this software?

Filebrowser by Filebrowser

View all CVEs affecting Filebrowser →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover leading to unauthorized file access, data theft, or system compromise if admin accounts are affected.

🟠

Likely Case

Privilege escalation where authenticated users change passwords to gain persistent access or lock out legitimate users.

🟢

If Mitigated

Limited impact if strong authentication controls, network segmentation, and monitoring are in place.

🌐 Internet-Facing: HIGH - Internet-facing instances are directly accessible to attackers who obtain valid credentials through various means.

🏢 Internal Only: MEDIUM - Internal instances still vulnerable to insider threats or compromised internal accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires a valid JWT token obtained through XSS, session hijacking, or credential theft. The bypass technique is simple and well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.57.1

Vendor Advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-hxw8-4h9j-hq2r

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Stop File Browser service. 3. Update to version 2.57.1 or later. 4. Restart File Browser service. 5. Verify functionality.

🔧 Temporary Workarounds

Disable password change functionality

all

Temporarily disable password change API endpoints until patching is complete.

Modify configuration to remove or restrict access to /api/users/*/password endpoints

Implement API request validation

all

Add middleware to normalize field names and reject requests with unexpected case variations.

Implement request preprocessing to convert all field names to lowercase before validation

🧯 If You Can't Patch

Implement network segmentation to restrict access to File Browser instances
Enable detailed logging and monitoring for password change attempts and review regularly

🔍 How to Verify

Check if Vulnerable:

Check if File Browser version is below 2.57.1. Attempt password change with 'Password' field name instead of 'password' (requires valid JWT).

Check Version:

filebrowser version

Verify Fix Applied:

After updating to 2.57.1+, attempt password change with 'Password' field name - it should fail with proper validation error.

📡 Detection & Monitoring

Log Indicators:

Unusual password change requests
API calls with 'Password' field name instead of 'password'
Multiple failed authentication attempts followed by password changes

Network Indicators:

POST requests to /api/users/*/password endpoints with unusual field names
Traffic patterns showing password changes without preceding successful login

SIEM Query:

source="filebrowser" AND (uri_path="/api/users/*/password" OR message="*password*change*")

📊 Metadata

CVE ID: CVE-2026-25889

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-178

EPSS Score: 0.03% exploit probability (7th percentile)

Published: February 9, 2026

Last Updated: February 23, 2026

🔗 References

https://github.com/filebrowser/filebrowser/commit/ff2f00498cff151e2fb1f5f0b16963bf33c3d6d4 Patch
https://github.com/filebrowser/filebrowser/releases/tag/v2.57.1 Product,Release Notes
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-hxw8-4h9j-hq2r Exploit,Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25889, you might also want to check these: