CVE-2026-23849

CVE-2026-23849

File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue.

Published Jan 20, 2026

Advisory · GHSA-43mm-m3h2-3prc

CVSS ScoreMedium

5.3

Vulnerabilities

CVE-2026-23849

Published Jan 20, 2026

Advisory · GHSA-43mm-m3h2-3prc

CVSS ScoreMedium

5.3

CVE-2026-23849 Security Details

CVE ID: CVE-2026-23849
CWE: CWE-203
CWE-208
CVE Description: File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue.
Published: Jan 20, 2026
CVSS Score & Severity: 5.3Medium
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score: 0.203%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Affected Ecosystems: affected
Source: National Vulnerability Database
References: GitHub · Advisory · GHSA-43mm-m3h2-3prcTHIRD_PARTY

CVE-2026-23849 Security Details

CVE ID: CVE-2026-23849
CWE: CWE-203
CWE-208
CVE Description: File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue.
Published: Jan 20, 2026
CVSS Score & Severity: 5.3Medium
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score: 0.203%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Affected Ecosystems: affected
Source: National Vulnerability Database
References: GitHub · Advisory · GHSA-43mm-m3h2-3prcTHIRD_PARTY

Find vulnerabilities. Fix fast with AI.

CVE-2026-23849

CVE-2026-23849 Security Details

CVE-2026-23849 Security Details