Executive Summary

CVE-2026-50891 is a vulnerability in Filestash version 0.4.0 where the /admin/api/config component is exposed during the initial setup phase before an administrator password is set.

Because the system does not enforce proper authentication checks during this first-run setup, a remote attacker can send specially crafted requests to set their own administrator password hash.

This allows the attacker to gain full administrative access to the Filestash instance by modifying the admin password hash and then authenticating with their chosen password.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a complete compromise of the Filestash instance.

• An attacker can gain full administrative control over the system.
• They can control global settings, storage configurations, sharing policies, and secrets managed through the admin console.
• This could result in unauthorized data access, data modification, or disruption of services.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the /admin/api/config and /admin/api/session endpoints are accessible without authentication during the initial setup phase of Filestash v0.4.0.

You can attempt to send HTTP requests to these endpoints to see if they respond without requiring admin credentials.

• Use curl to GET the current configuration: curl -v http://<filestash-host>/admin/api/config
• Attempt to POST a modified admin password hash to /admin/api/config: curl -X POST -d '{"auth.admin":"<bcrypt-hash>"}' http://<filestash-host>/admin/api/config
• Try to authenticate with the new password via POST /admin/api/session: curl -X POST -d '{"password":"<your-password>"}' http://<filestash-host>/admin/api/session

If these requests succeed without prior authentication, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, ensure that the Filestash instance is not accessible externally during the initial setup phase before an administrator password is set.

Restrict network access to the Filestash service until the administrator password is configured.

Alternatively, apply access control measures such as firewall rules or reverse proxy authentication to block unauthenticated access to /admin/api/config and /admin/api/session endpoints.

After setting the administrator password, verify that the AdminOnly middleware properly enforces authentication.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to gain full administrative access to the Filestash instance by exploiting a lack of access control during the initial setup phase. Such unauthorized access can lead to compromise of global settings, storage configurations, sharing policies, and secrets.

Because of this, organizations using Filestash v0.4.0 may face significant risks related to data confidentiality and integrity, which are critical requirements under common standards and regulations like GDPR and HIPAA.

Specifically, unauthorized administrative control could result in unauthorized data access or modification, potentially leading to violations of data protection obligations, breach notification requirements, and other compliance mandates.

Useful 0 Not Useful 0