{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/file-browser/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FileBrowser (all versions supporting proxy authentication)"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","web-vulnerability","privilege-escalation","file-browser","account-creation"],"_cs_type":"advisory","_cs_vendors":["FileBrowser"],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability affects FileBrowser instances configured to use proxy authentication (\u003ccode\u003eauth.method=proxy\u003c/code\u003e) where the application server is directly exposed to untrusted networks. This allows any unauthenticated attacker to impersonate any existing user, including the administrator, by simply sending a forged \u003ccode\u003eX-Remote-User\u003c/code\u003e HTTP header during a POST request to the \u003ccode\u003e/api/login\u003c/code\u003e endpoint. Additionally, specifying a non-existent username in the forged header causes FileBrowser to automatically create a new user account with default permissions, providing an account creation primitive without authorization. This vulnerability stems from FileBrowser unconditionally trusting the \u003ccode\u003eX-Remote-User\u003c/code\u003e header without any origin validation or password verification, a behavior present across all versions that support this authentication method. This is a common misconfiguration for organizations using reverse proxies for SSO/LDAP/OAuth. Successful exploitation grants full administrative control over the FileBrowser instance and access to all hosted files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a FileBrowser instance configured with \u003ccode\u003eauth.method=proxy\u003c/code\u003e that is directly reachable (i.e., not exclusively behind a trusted reverse proxy).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST request to the \u003ccode\u003e/api/login\u003c/code\u003e endpoint, including a forged HTTP header, typically \u003ccode\u003eX-Remote-User\u003c/code\u003e, set to a target username such as \u003ccode\u003eadmin\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFileBrowser's \u003ccode\u003eProxyAuth.Auth()\u003c/code\u003e function receives the request and extracts the username from the \u003ccode\u003eX-Remote-User\u003c/code\u003e header, implicitly trusting its value without any origin validation (e.g., checking trusted IP addresses) or cryptographic verification.\u003c/li\u003e\n\u003cli\u003eIf the specified username exists, FileBrowser retrieves the corresponding user object from its internal user store. If the username does not exist, the \u003ccode\u003ecreateUser()\u003c/code\u003e function is automatically invoked, creating a new user account with default permissions and a locked, random password.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eloginHandler\u003c/code\u003e proceeds to mint a valid JSON Web Token (JWT) for the impersonated or newly created user. This JWT contains the full permissions of the target user, including administrator privileges if \u003ccode\u003eadmin\u003c/code\u003e was specified.\u003c/li\u003e\n\u003cli\u003eThe attacker receives this valid JWT and uses it in subsequent HTTP requests by including it in the \u003ccode\u003eX-Auth\u003c/code\u003e header to interact with privileged endpoints (e.g., \u003ccode\u003e/api/settings\u003c/code\u003e, \u003ccode\u003e/api/users\u003c/code\u003e) or access specific user resources (e.g., \u003ccode\u003e/api/resources/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker achieves full administrative control over the FileBrowser instance, allowing modification of server settings, enumeration of all user accounts, and unauthorized access to all files and data within the application's scope.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to complete compromise of the FileBrowser instance. Attackers gain full administrative control, allowing them to modify server configurations, create, delete, or modify files, and access sensitive data stored within the FileBrowser environment. This also enables the creation of arbitrary user accounts without authorization, potentially leading to further persistence or resource exhaustion. Organizations deploying FileBrowser behind reverse proxies, especially those exposing the application's port directly to an untrusted network (e.g., due to Docker container defaults or misconfigured cloud security groups), are at high risk of data breach and system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eRestrict direct access:\u003c/strong\u003e Configure network firewalls or security groups to ensure the FileBrowser application is only accessible by trusted reverse proxies, preventing direct access from untrusted networks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview logging\u003c/strong\u003e: Deploy the provided Sigma rule to detect POST requests to \u003ccode\u003e/api/login\u003c/code\u003e containing the \u003ccode\u003eX-Remote-User\u003c/code\u003e header. Ensure web server logs capture the \u003ccode\u003eX-Remote-User\u003c/code\u003e HTTP header for effective detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUpdate configuration:\u003c/strong\u003e If direct exposure is unavoidable, consider switching \u003ccode\u003eauth.method\u003c/code\u003e from \u003ccode\u003eproxy\u003c/code\u003e to \u003ccode\u003ejson\u003c/code\u003e and implementing alternative, more secure authentication mechanisms at the application layer or within a properly secured reverse proxy setup.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement trusted proxy validation:\u003c/strong\u003e If using \u003ccode\u003eauth.method=proxy\u003c/code\u003e is essential, implement stringent trusted proxy validation at the network layer or enhance FileBrowser with origin validation checks (e.g., by contributing a patch to verify \u003ccode\u003er.RemoteAddr\u003c/code\u003e against a list of trusted IPs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T19:37:06Z","date_published":"2026-07-10T19:37:06Z","id":"https://feed.craftedsignal.io/briefs/2026-07-filebrowser-auth-bypass/","summary":"An unauthenticated attacker can impersonate any user, including administrators, or automatically create new user accounts in FileBrowser by forging the `X-Remote-User` HTTP header when the server is configured for proxy authentication and is directly reachable, leading to full administrative control and unauthorized access to data.","title":"FileBrowser Authentication Bypass via Forged Proxy Authentication Header","url":"https://feed.craftedsignal.io/briefs/2026-07-filebrowser-auth-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-35607"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["File Browser"],"_cs_severities":["high"],"_cs_tags":["file-browser","authentication-bypass","privilege-escalation","cve-2026-35607"],"_cs_type":"advisory","_cs_vendors":["File Browser"],"content_html":"\u003cp\u003eFile Browser is a file management interface that allows users to upload, delete, preview, rename, and edit files. A vulnerability, identified as CVE-2026-35607, exists in versions prior to 2.63.1. This flaw stems from inconsistent application of a fix intended to restrict execution permissions for self-registered users. While the fix was correctly implemented for the signup handler (commit b6a4fb1), it was not applied to the proxy authentication handler. As a result, users automatically created upon their first successful proxy authentication login are inadvertently granted execution capabilities based on global defaults. This contradicts the intended security measure of preventing automatic accounts from inheriting execution rights. This vulnerability allows unauthorized users to execute commands, potentially leading to system compromise. The issue is resolved in File Browser version 2.63.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user attempts to access the File Browser interface via proxy authentication.\u003c/li\u003e\n\u003cli\u003eThe File Browser instance, running a version prior to 2.63.1, authenticates the user through the proxy.\u003c/li\u003e\n\u003cli\u003eIf the user does not already exist, the application automatically creates a new user account.\u003c/li\u003e\n\u003cli\u003eDue to the missing fix in the proxy authentication handler, the newly created user account is granted execution permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the granted execution permissions to execute arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThese commands could be used to read sensitive files, modify system configurations, or install malicious software.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the file management interface to upload a malicious script.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malicious script, achieving arbitrary code execution on the server, potentially leading to data exfiltration or system takeover.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35607 allows unauthenticated or newly authenticated users to gain unauthorized execution privileges within the File Browser application. This can lead to the execution of arbitrary commands, potentially compromising the server hosting the application. The CVSS v3.1 base score for this vulnerability is 8.1, indicating a high level of severity. Depending on the server configuration, this could result in data breaches, system downtime, or complete system takeover.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade File Browser to version 2.63.1 or later to remediate CVE-2026-35607.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026quot;Detect File Browser Unauthorized Command Execution\u0026quot; to identify potential exploitation attempts by monitoring for suspicious process creation events initiated by the File Browser process.\u003c/li\u003e\n\u003cli\u003eReview and restrict the default execution permissions for File Browser to minimize the impact of potential exploits.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity associated with File Browser, specifically HTTP requests related to file uploads and execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-08T12:00:00Z","date_published":"2024-01-08T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-file-browser-auth-bypass/","summary":"File Browser versions before 2.63.1 improperly grant execution capabilities to new users created via proxy authentication, leading to privilege escalation.","title":"File Browser Proxy Authentication Bypass Vulnerability (CVE-2026-35607)","url":"https://feed.craftedsignal.io/briefs/2024-01-file-browser-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - File-Browser","version":"https://jsonfeed.org/version/1.1"}