CVE-2026-25890 – In File Browser versions before 2.57.1, authent... (How to Fix)

Q: What is the severity of CVE-2026-25890?

CVE-2026-25890 has a CVSS score of 8.1 (HIGH). In File Browser versions before 2.57.1, authenticated users can bypass file access restrictions by adding extra slashes to file paths in requests. This allows unauthorized access to files that should be blocked by 'Disallow' rules. Only authenticated users can exploit this vulnerability.

📋 TL;DR

In File Browser versions before 2.57.1, authenticated users can bypass file access restrictions by adding extra slashes to file paths in requests. This allows unauthorized access to files that should be blocked by 'Disallow' rules. Only authenticated users can exploit this vulnerability.

💻 Affected Systems

Products:

File Browser

Versions: All versions before 2.57.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations where 'Disallow' rules are configured to restrict file access.

📦 What is this software?

Filebrowser by Filebrowser

View all CVEs affecting Filebrowser →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authenticated users access sensitive system files, configuration files, or other restricted data, potentially leading to data theft, privilege escalation, or system compromise.

🟠

Likely Case

Users access files outside their intended directory scope, violating data segregation policies and potentially exposing confidential information.

🟢

If Mitigated

With proper network segmentation and minimal user privileges, impact is limited to the specific File Browser instance and its accessible files.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access and knowledge of restricted file paths.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.57.1

Vendor Advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-4mh3-h929-w968

Restart Required: Yes

Instructions:

1. Stop File Browser service. 2. Backup configuration and data. 3. Update to version 2.57.1 or later. 4. Restart File Browser service.

🔧 Temporary Workarounds

Path Normalization Filter

all

Implement middleware or proxy to normalize paths by removing duplicate slashes before reaching File Browser.

🧯 If You Can't Patch

Restrict authenticated user permissions to minimum necessary
Implement network-level access controls to limit File Browser's reach to sensitive directories

🔍 How to Verify

Check if Vulnerable:

Check File Browser version; if below 2.57.1 and 'Disallow' rules are configured, system is vulnerable.

Check Version:

filebrowser version

Verify Fix Applied:

After updating to 2.57.1+, test that paths with duplicate slashes are properly blocked by 'Disallow' rules.

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing '//' or multiple slashes in file paths
Access to files outside configured directories

Network Indicators:

Unusual file access patterns from authenticated users

SIEM Query:

source="filebrowser" AND (url="*//*" OR path="*//*")

📊 Metadata

CVE ID: CVE-2026-25890

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-706

EPSS Score: 0.03% exploit probability (6.9th percentile)

Published: February 9, 2026

Last Updated: February 20, 2026

🔗 References

https://github.com/filebrowser/filebrowser/commit/489af403a19057f6b6b4b1dc0e48cbb26a202ef9 Patch
https://github.com/filebrowser/filebrowser/releases/tag/v2.57.1 Product,Release Notes
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-4mh3-h929-w968 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25890, you might also want to check these: