File Browser vulnerable to Username Enumeration via Timing Attack in /api/login
Description
File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/filebrowser/filebrowserGo | <= 1.11.0 | — |
github.com/filebrowser/filebrowser/v2Go | < 2.55.0 | 2.55.0 |
Affected products
1- Range: v1.0.0, v1.0.1, v1.0.2, …
Patches
124781badd413Merge commit from fork
1 file changed · +15 −1
auth/json.go+15 −1 modified@@ -14,6 +14,10 @@ import ( // MethodJSONAuth is used to identify json auth. const MethodJSONAuth settings.AuthMethod = "json" +// dummyHash is used to prevent user enumeration timing attacks. +// It MUST be a valid bcrypt hash. +const dummyHash = "$2a$10$O4mEMeOL/nit6zqe.WQXauLRbRlzb3IgLHsa26Pf0N/GiU9b.wK1m" + type jsonCred struct { Password string `json:"password"` Username string `json:"username"` @@ -52,7 +56,17 @@ func (a JSONAuth) Auth(r *http.Request, usr users.Store, _ *settings.Settings, s } u, err := usr.Get(srv.Root, cred.Username) - if err != nil || !users.CheckPwd(cred.Password, u.Password) { + + hash := dummyHash + if err == nil { + hash = u.Password + } + + if !users.CheckPwd(cred.Password, hash) { + return nil, os.ErrPermission + } + + if err != nil { return nil, os.ErrPermission }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-43mm-m3h2-3prcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-23849ghsaADVISORY
- github.com/filebrowser/filebrowser/commit/24781badd413ee20333aba5cce1919d676e01889ghsax_refsource_MISCWEB
- github.com/filebrowser/filebrowser/security/advisories/GHSA-43mm-m3h2-3prcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.