CVE-2026-23849 Overview
CVE-2026-23849 is a timing attack vulnerability in File Browser, a web-based file management interface that allows users to upload, delete, preview, rename, and edit files within a specified directory. Prior to version 2.55.0, the JSONAuth.Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint.
This vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy that can be exploited for username enumeration.
Critical Impact
Unauthenticated attackers can enumerate valid usernames remotely, potentially enabling targeted brute-force attacks or credential stuffing against confirmed user accounts.
Affected Products
- File Browser versions prior to 2.55.0
Discovery Timeline
- 2026-01-19 - CVE CVE-2026-23849 published to NVD
- 2026-01-19 - Last updated in NVD database
Technical Details for CVE-2026-23849
Vulnerability Analysis
The vulnerability is classified under CWE-208 (Observable Timing Discrepancy). The authentication endpoint at /api/login exhibits different response times depending on whether a submitted username exists in the system. This timing side-channel occurs because the application's authentication logic follows two distinct code paths with significantly different computational requirements.
When an invalid username is submitted, the application immediately returns an authentication failure without performing any password verification. Conversely, when a valid username is provided, the application proceeds to call the users.CheckPwd function, which invokes bcrypt password hashing—an intentionally slow operation designed to resist brute-force attacks. The irony is that bcrypt's security feature creates the very timing discrepancy that enables username enumeration.
An attacker can systematically submit login requests with different usernames while measuring response times. Responses that take measurably longer indicate valid usernames, as the bcrypt verification was invoked. This information can then be used to build a list of valid accounts for targeted attacks.
Root Cause
The root cause is the early-return pattern in the JSONAuth.Auth function that creates observable timing differences between valid and invalid username lookups. The authentication logic fails to implement constant-time comparison for the initial user existence check, allowing attackers to distinguish between the two code paths based on response latency.
Attack Vector
The attack can be executed remotely over the network without authentication. An attacker sends multiple HTTP POST requests to the /api/login endpoint with different usernames while recording response times. Statistical analysis of the timing data reveals which usernames exist in the system based on the measurable delay introduced by bcrypt password verification on valid accounts.
The attack requires no user interaction and can be automated using simple scripting tools. By analyzing the response time distribution, attackers can reliably identify valid usernames even in the presence of network jitter, especially when collecting multiple samples per username.
Detection Methods for CVE-2026-23849
Indicators of Compromise
- High volume of failed authentication attempts against the /api/login endpoint from a single source IP
- Systematic username enumeration patterns showing sequential or dictionary-based username testing
- Unusual authentication request patterns with minimal time between requests
- Login attempts using usernames not previously seen in normal application usage
Detection Strategies
- Implement rate limiting detection on the /api/login endpoint to identify brute-force enumeration attempts
- Monitor authentication logs for patterns of failed logins across multiple usernames from single IP addresses
- Deploy web application firewall (WAF) rules to detect and block automated enumeration tools
- Analyze request timing patterns to identify systematic probing behavior
Monitoring Recommendations
- Enable detailed authentication logging including timestamps and source IP addresses
- Set up alerts for authentication failure rate thresholds exceeded within defined time windows
- Monitor for reconnaissance activity targeting the login endpoint
- Track login attempt frequency per source IP to identify enumeration campaigns
How to Mitigate CVE-2026-23849
Immediate Actions Required
- Upgrade File Browser to version 2.55.0 or later immediately
- Implement rate limiting on the /api/login endpoint to slow enumeration attempts
- Consider implementing account lockout policies or CAPTCHA after failed login attempts
- Review authentication logs for evidence of prior exploitation
Patch Information
The vulnerability has been addressed in File Browser version 2.55.0. The fix is available in commit 24781badd413ee20333aba5cce1919d676e01889. The patch implements constant-time behavior in the authentication function to eliminate the observable timing discrepancy between valid and invalid username lookups.
For detailed information about the vulnerability and the fix, refer to the GitHub Security Advisory GHSA-43mm-m3h2-3prc.
Workarounds
- Place File Browser behind a reverse proxy with rate limiting capabilities to throttle enumeration attempts
- Implement fail2ban or similar tools to automatically block IP addresses exhibiting enumeration behavior
- Restrict access to the File Browser login page to trusted IP ranges using firewall rules
- Enable multi-factor authentication if available to mitigate the impact of username enumeration
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
