CVE-2026-25890: File Browser has a Path-Based Access Control Bypass via Multiple Leading Slashes in URL
An authenticated user can bypass the application’s “Disallow” file path rules by modifying the request URL. By adding multiple slashes (e.g., //private/) to the path, the authorization check fails to match the rule, while the underlying filesystem resolves the path correctly, granting unauthorized access to restricted files.
References
- github.com/advisories/GHSA-4mh3-h929-w968
- github.com/filebrowser/filebrowser
- github.com/filebrowser/filebrowser/commit/489af403a19057f6b6b4b1dc0e48cbb26a202ef9
- github.com/filebrowser/filebrowser/releases/tag/v2.57.1
- github.com/filebrowser/filebrowser/security/advisories/GHSA-4mh3-h929-w968
- nvd.nist.gov/vuln/detail/CVE-2026-25890
Code Behaviors & Features
Detect and mitigate CVE-2026-25890 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →