{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23849", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-16T15:46:40.843Z", "datePublished": "2026-01-19T20:37:29.716Z", "dateUpdated": "2026-01-20T15:54:36.499Z"}, "containers": {"cna": {"title": "File Browser vulnerable to Username Enumeration via Timing Attack in /api/login", "problemTypes": [{"descriptions": [{"cweId": "CWE-208", "lang": "en", "description": "CWE-208: Observable Timing Discrepancy", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-43mm-m3h2-3prc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-43mm-m3h2-3prc"}, {"name": "https://github.com/filebrowser/filebrowser/commit/24781badd413ee20333aba5cce1919d676e01889", "tags": ["x_refsource_MISC"], "url": "https://github.com/filebrowser/filebrowser/commit/24781badd413ee20333aba5cce1919d676e01889"}], "affected": [{"vendor": "filebrowser", "product": "filebrowser", "versions": [{"version": "< 2.55.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T20:37:29.716Z"}, "descriptions": [{"lang": "en", "value": "File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a \"short-circuit\" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue."}], "source": {"advisory": "GHSA-43mm-m3h2-3prc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T15:54:21.087323Z", "id": "CVE-2026-23849", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T15:54:36.499Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23849", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T15:54:21.087323Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T15:54:30.710Z"}}], "cna": {"title": "File Browser vulnerable to Username Enumeration via Timing Attack in /api/login", "source": {"advisory": "GHSA-43mm-m3h2-3prc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "filebrowser", "product": "filebrowser", "versions": [{"status": "affected", "version": "< 2.55.0"}]}], "references": [{"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-43mm-m3h2-3prc", "name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-43mm-m3h2-3prc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/filebrowser/filebrowser/commit/24781badd413ee20333aba5cce1919d676e01889", "name": "https://github.com/filebrowser/filebrowser/commit/24781badd413ee20333aba5cce1919d676e01889", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a \"short-circuit\" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-208", "description": "CWE-208: Observable Timing Discrepancy"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T20:37:29.716Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23849", "state": "PUBLISHED", "dateUpdated": "2026-01-20T15:54:36.499Z", "dateReserved": "2026-01-16T15:46:40.843Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-19T20:37:29.716Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*", "matchCriteriaId": "36CB8D4B-1DFD-4F56-81BD-E31B346B0CE5", "versionEndExcluding": "2.55.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a \"short-circuit\" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue."}], "id": "CVE-2026-23849", "lastModified": "2026-02-03T14:30:45.250", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-19T21:15:51.653", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/filebrowser/filebrowser/commit/24781badd413ee20333aba5cce1919d676e01889"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-43mm-m3h2-3prc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-208"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-203"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T04:58:44.734752+00:00", "value": {"mitigation_remediation": ["Upgrade File Browser to version 2.55.0 or later to apply the official patch that removes the premature return logic.", "If immediate upgrade is not possible, restrict access to the /api/login endpoint by implementing IP whitelisting or network segmentation to limit the attack surface.", "Deploy rate\u2011limiting or CAPTCHA mechanisms on the login endpoint to reduce the feasibility of timing measurements used for enumeration."], "summary": {"action": "Immediate Patch", "impact": "Username Enumeration via timing attack on /api/login"}, "threat_synthesis": {"affected_systems": "The flaw affects all instances of File Browser prior to version 2.55.0. Users deploying any version before that threshold, regardless of operating system or environment, are susceptible if the /api/login interface is exposed to the network.", "description_and_impact": "File Browser\u2019s authentication routine prematurely exits when a supplied username does not exist, whereas it performs a costly bcrypt comparison for existing usernames. This timing difference allows an unauthenticated attacker to deduce valid usernames by consistently measuring response latency, thereby revealing account names that could be leveraged for subsequent credential abuse or social engineering. The weakness is classified as CWE-203 and CWE-208, representing information leakage through timing and race conditions.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate impact, and the EPSS score of less than 1% suggests a low probability of exploitation under current threat intelligence. However, the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to measure timing accurately, which may be easier on low\u2011latency, high\u2011packet\u2011rate networks. The attack vector is primarily remote, accessed through the web API endpoint exposed over the network. Once enumeration is achieved, attackers can attempt to guess or brute\u2011force passwords for the revealed accounts, potentially escalating to full compromise of the file management system."}}}}, "created": "2026-01-20T08:40:45.532376+00:00", "updated": "2026-04-18T05:00:06.041573+00:00", "vendors": ["filebrowser", "filebrowser$PRODUCT$filebrowser"]}