CVE-2026-25889
Undergoing Analysis Undergoing Analysis - In Progress
Case-Sensitivity Bypass in File Browser Password Validation Enables Account Takeover

Publication date: 2026-02-09

Last updated on: 2026-02-23

Assigner: GitHub, Inc.

Description
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, a case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user's password) without providing the current password. By using Title Case field name "Password" instead of lowercase "password" in the API request, the current_password verification is completely bypassed. This enables account takeover if an attacker obtains a valid JWT token through XSS, session hijacking, or other means. This vulnerability is fixed in 2.57.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-09
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-10
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25889
EUVD
EUVD-2026-6865
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
filebrowser filebrowser to 2.57.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-178 The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in File Browser versions prior to 2.57.1 and involves a case-sensitivity flaw in the password validation logic.

Specifically, by using the field name "Password" with a capital 'P' instead of the lowercase "password" in an API request, the system bypasses the verification of the current password.

This means that any authenticated user can change their password without providing the current password, and an admin can change any user's password without the current password.

An attacker who obtains a valid JWT token through methods like cross-site scripting (XSS) or session hijacking can exploit this flaw to take over accounts.

Impact Analysis

This vulnerability can lead to unauthorized account takeover.

If an attacker gains access to a valid JWT token, they can change passwords without knowing the current password, potentially locking out legitimate users.

This compromises the integrity and security of user accounts, leading to potential unauthorized access to sensitive files managed by the File Browser.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade File Browser to version 2.57.1 or later, where the password validation logic flaw has been fixed.

Additionally, ensure that JWT tokens are protected from theft via XSS, session hijacking, or other means to prevent account takeover.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25889. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart