CVE-2026-25890
Published: 09 February 2026
Summary
CVE-2026-25890 is a high-severity Use of Incorrectly-Resolved Name or Reference (CWE-706) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations for file access, directly addressing the bypass of 'Disallow' path rules via malformed URLs like multiple slashes.
SI-10 mandates validation of inputs such as file paths to prevent exploitation of path normalization discrepancies that allow unauthorized access to restricted directories.
AC-6 applies least privilege to limit the scope of access for authenticated low-privilege users, mitigating the impact of authorization bypasses on sensitive files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path authorization bypass in exposed file manager directly enables exploitation for privilege escalation (T1068) to achieve unauthorized data access (T1005) and file/directory discovery (T1083) on the underlying system.
NVD Description
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the application's "Disallow" file path rules by modifying…
more
the request URL. By adding multiple slashes (e.g., //private/) to the path, the authorization check fails to match the rule, while the underlying filesystem resolves the path correctly, granting unauthorized access to restricted files. This vulnerability is fixed in 2.57.1.
Deeper analysisAI
CVE-2026-25890 affects File Browser, a web-based file management interface for uploading, deleting, previewing, renaming, and editing files within specified directories, in versions prior to 2.57.1. The vulnerability enables an authenticated user to bypass the application's "Disallow" file path rules by modifying the request URL, such as by adding multiple slashes (e.g., //private/) to the path. This causes the authorization check to fail matching the rule, while the underlying filesystem correctly resolves the path, resulting in unauthorized access to restricted files. It has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-706 (Use of Incorrectly-Resolved Name Into a Namespace) and CWE-863 (Incorrect Authorization).
An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity and no user interaction required. By crafting requests with multiple slashes in disallowed paths, they bypass restrictions to access, preview, rename, edit, or delete sensitive files outside the permitted scope, achieving high impacts on confidentiality and integrity but no availability disruption.
The issue is addressed in File Browser version 2.57.1. The GitHub security advisory (GHSA-4mh3-h929-w968) details the vulnerability, the release notes for v2.57.1 confirm the fix, and the patching commit (489af403a19057f6b4b1dc0e48cbb26a202ef9) implements the resolution to properly handle path normalization in authorization checks. Security practitioners should upgrade to 2.57.1 or later and review access controls for file paths.
Details
- CWE(s)