Cyber Resilience

CVE-2026-25890

HighPublic PoC

Published: 09 February 2026

Published
09 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0046 36.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25890 is a high-severity Use of Incorrectly-Resolved Name or Reference (CWE-706) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 36.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-25890 affects File Browser, a web-based file management interface for uploading, deleting, previewing, renaming, and editing files within specified directories, in versions prior to 2.57.1. The vulnerability enables an authenticated user to bypass the application's "Disallow" file path rules by modifying the request URL, such as by adding multiple slashes (e.g., //private/) to the path. This causes the authorization check to fail matching the rule, while the underlying filesystem correctly resolves the path, resulting in unauthorized access to restricted files. It has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-706 (Use of Incorrectly-Resolved Name Into a Namespace) and CWE-863 (Incorrect Authorization).

An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity and no user interaction required. By crafting requests with multiple slashes in disallowed paths, they bypass restrictions to access, preview, rename, edit, or delete sensitive files outside the permitted scope, achieving high impacts on confidentiality and integrity but no availability disruption.

The issue is addressed in File Browser version 2.57.1. The GitHub security advisory (GHSA-4mh3-h929-w968) details the vulnerability, the release notes for v2.57.1 confirm the fix, and the patching commit (489af403a19057f6b4b1dc0e48cbb26a202ef9) implements the resolution to properly handle path normalization in authorization checks. Security practitioners should upgrade to 2.57.1 or later and review access controls for file paths.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the application's "Disallow" file path rules by modifying…

more

the request URL. By adding multiple slashes (e.g., //private/) to the path, the authorization check fails to match the rule, while the underlying filesystem resolves the path correctly, granting unauthorized access to restricted files. This vulnerability is fixed in 2.57.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Why these techniques?

Path authorization bypass in exposed file manager directly enables exploitation for privilege escalation (T1068) to achieve unauthorized data access (T1005) and file/directory discovery (T1083) on the underlying system.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35604Same product: Filebrowser Filebrowser
CVE-2026-35606Same product: Filebrowser Filebrowser
CVE-2026-30933Same product: Filebrowser Filebrowser
CVE-2026-32760Same product: Filebrowser Filebrowser
CVE-2026-35605Same product: Filebrowser Filebrowser
CVE-2025-64523Same product: Filebrowser Filebrowser
CVE-2026-32759Same product: Filebrowser Filebrowser
CVE-2026-35607Same product: Filebrowser Filebrowser
CVE-2026-30934Same product: Filebrowser Filebrowser
CVE-2026-34529Same product: Filebrowser Filebrowser

Affected Assets

filebrowser
filebrowser
≤ 2.57.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires enforcement of approved authorizations for file access, directly addressing the bypass of 'Disallow' path rules via malformed URLs like multiple slashes.

prevent

SI-10 mandates validation of inputs such as file paths to prevent exploitation of path normalization discrepancies that allow unauthorized access to restricted directories.

prevent

AC-6 applies least privilege to limit the scope of access for authenticated low-privilege users, mitigating the impact of authorization bypasses on sensitive files.

References