File Browser has a Path-Based Access Control Bypass via Multiple Leading Slashes in URL
Description
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the application's "Disallow" file path rules by modifying the request URL. By adding multiple slashes (e.g., //private/) to the path, the authorization check fails to match the rule, while the underlying filesystem resolves the path correctly, granting unauthorized access to restricted files. This vulnerability is fixed in 2.57.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/filebrowser/filebrowser/v2Go | < 2.57.1 | 2.57.1 |
Affected products
1- Range: < 2.57.2
Patches
1489af403a190fix: remove skip clean
1 file changed · +0 −5
http/http.go+0 −5 modified@@ -35,11 +35,6 @@ func NewHandler( }) index, static := getStaticHandlers(store, server, assetsFs) - // NOTE: This fixes the issue where it would redirect if people did not put a - // trailing slash in the end. I hate this decision since this allows some awful - // URLs https://www.gorillatoolkit.org/pkg/mux#Router.SkipClean - r = r.SkipClean(true) - monkey := func(fn handleFunc, prefix string) http.Handler { return handle(fn, prefix, store, server) }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-4mh3-h929-w968ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25890ghsaADVISORY
- github.com/filebrowser/filebrowser/commit/489af403a19057f6b6b4b1dc0e48cbb26a202ef9ghsax_refsource_MISCWEB
- github.com/filebrowser/filebrowser/releases/tag/v2.57.1ghsax_refsource_MISCWEB
- github.com/filebrowser/filebrowser/security/advisories/GHSA-4mh3-h929-w968ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.