Product
An unauthenticated attacker can impersonate any user, including administrators, or automatically create new user accounts in FileBrowser by forging the `X-Remote-User` HTTP header when the server is configured for proxy authentication and is directly reachable, leading to full administrative control and unauthorized access to data.