CVE-2026-23849
Unknown Unknown - Not Provided
Timing Attack in File Browser JSONAuth Enables Username Enumeration

Publication date: 2026-01-19

Last updated on: 2026-02-03

Assigner: GitHub, Inc.

Description
File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-02-03
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23849
EUVD
EUVD-2026-3287
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
filebrowser filebrowser to 2.55.0 (exc)
filebrowser filebrowser 2.55.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
CWE-203 The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23849 is a timing attack vulnerability in the FileBrowser project's login API. The issue arises because the authentication function behaves differently in terms of response time depending on whether a username exists. If the username is not found, the function returns immediately without checking the password. If the username exists, it performs a bcrypt password check, which takes significantly longer. This timing difference allows an unauthenticated attacker to enumerate valid usernames by measuring response times to login attempts. [1]

Impact Analysis

This vulnerability allows unauthenticated remote attackers to discover valid usernames by measuring response times. Knowing valid usernames facilitates targeted brute-force or credential stuffing attacks against those accounts, weakening the overall security posture by exposing user existence information. [1]

Detection Guidance

This vulnerability can be detected by performing a timing attack against the /api/login endpoint of the FileBrowser service. An unauthenticated attacker can send login requests with various usernames and measure the response times. Valid usernames cause longer response times (~50ms+) due to bcrypt password verification, while invalid usernames return quickly (~1ms). A proof-of-concept Python script automates this by calibrating network latency with random usernames, then measuring response times for usernames from a wordlist, using statistical analysis to identify valid usernames based on timing differences. [1]

Mitigation Strategies

The immediate mitigation is to upgrade FileBrowser to version 2.55.0 or later, where the vulnerability is patched. The patch introduces a constant dummy bcrypt hash used during authentication attempts for non-existent users, ensuring the password verification step is always performed and response times are consistent regardless of username validity. This prevents attackers from inferring valid usernames based on timing differences. [2]

Compliance Impact

This vulnerability allows unauthenticated attackers to enumerate valid usernames by exploiting timing differences in the authentication process. Such exposure of user existence information can weaken the security posture and potentially lead to targeted attacks, which may result in unauthorized access to personal or sensitive data. Consequently, this could impact compliance with standards and regulations like GDPR and HIPAA that require protecting user data and preventing unauthorized access. However, the vulnerability itself only discloses usernames and does not directly expose sensitive personal data or credentials. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23849. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart