CVE-2026-23849
Timing Attack in File Browser JSONAuth Enables Username Enumeration
Publication date: 2026-01-19
Last updated on: 2026-02-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| filebrowser | filebrowser | to 2.55.0 (exc) |
| filebrowser | filebrowser | 2.55.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-203 | The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
| CWE-208 | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23849 is a timing attack vulnerability in the FileBrowser project's login API. The issue arises because the authentication function behaves differently in terms of response time depending on whether a username exists. If the username is not found, the function returns immediately without checking the password. If the username exists, it performs a bcrypt password check, which takes significantly longer. This timing difference allows an unauthenticated attacker to enumerate valid usernames by measuring response times to login attempts. [1]
How can this vulnerability impact me? :
This vulnerability allows unauthenticated remote attackers to discover valid usernames by measuring response times. Knowing valid usernames facilitates targeted brute-force or credential stuffing attacks against those accounts, weakening the overall security posture by exposing user existence information. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by performing a timing attack against the /api/login endpoint of the FileBrowser service. An unauthenticated attacker can send login requests with various usernames and measure the response times. Valid usernames cause longer response times (~50ms+) due to bcrypt password verification, while invalid usernames return quickly (~1ms). A proof-of-concept Python script automates this by calibrating network latency with random usernames, then measuring response times for usernames from a wordlist, using statistical analysis to identify valid usernames based on timing differences. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to upgrade FileBrowser to version 2.55.0 or later, where the vulnerability is patched. The patch introduces a constant dummy bcrypt hash used during authentication attempts for non-existent users, ensuring the password verification step is always performed and response times are consistent regardless of username validity. This prevents attackers from inferring valid usernames based on timing differences. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to enumerate valid usernames by exploiting timing differences in the authentication process. Such exposure of user existence information can weaken the security posture and potentially lead to targeted attacks, which may result in unauthorized access to personal or sensitive data. Consequently, this could impact compliance with standards and regulations like GDPR and HIPAA that require protecting user data and preventing unauthorized access. However, the vulnerability itself only discloses usernames and does not directly expose sensitive personal data or credentials. [1]