CVE-2026-23849

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions File Browser versions prior to 2.55.0

Description File Browser provides a file managing interface for tasks like uploading, deleting, and editing files. A flaw in the JSONAuth.Auth function allows unauthenticated attackers to identify valid usernames by observing the response time of the /api/login endpoint. This is possible because the authentication logic has a "short-circuit" evaluation. When a username is not found, the function returns quickly, but when a username exists, a slower password verification process using users.CheckPwd is executed, creating a measurable timing difference.

Recommendations Update to version 2.55.0 or later.

Exploit

Fix

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-208CWE-203

Related Identifiers

CVE-2026-23849

GHSA-43MM-M3H2-3PRC

GO-2026-4344

SUSE-SU-2026:0403-1

Affected Products

Filebrowser

CVE-2026-23849

Weakness Enumeration

Related Identifiers

Affected Products

References · 89