CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-54088

CVE-2026-54088: Pre-Authentication Remote Code Execution in File Browser Hook Authentication

Alon Barad
Alon Barad
Software Engineer

Jul 11, 2026·6 min read·3 visits

Executive Summary (TL;DR)

Unauthenticated remote command execution vulnerability in File Browser's Hook Authentication feature via unsanitized username/password inputs.

CVE-2026-54088 is a critical command injection vulnerability in File Browser prior to version 2.63.6. When Hook Authentication is enabled, the application interpolates unsanitized credentials into a shell command, allowing unauthenticated remote code execution.

Vulnerability Overview

File Browser is an open-source, web-based file manager that enables administrators to manage remote filesystems through a web interface. The application supports user authentication, file access controls, and administrative commands. It exposes an attack surface that includes various authentication strategies, one of which is Hook Authentication.

This Hook Authentication component allows delegation of user credential verification to custom external scripts or executables. During a login attempt, File Browser triggers a subprocess running the configured command to check the credentials. This capability is useful for integrating external directory services or bespoke access databases.

The vulnerability designated as CVE-2026-54088 lies in the implementation of this Hook Authentication workflow. When handling a login request, the application processes user-provided credentials without performing input verification or sanitization. This allows an unauthenticated external attacker to achieve arbitrary command execution on the host operating system.

Root Cause Analysis

The vulnerability resides in the Go backend implementation of File Browser, specifically in the file auth/hook.go within the HookAuth.RunCommand function. When Hook Authentication is enabled, administrators configure a template command string. This template uses environment-style placeholders, such as $USERNAME and $PASSWORD, which are later substituted with actual login credentials.

To perform this substitution, the code splits the configured command string by whitespace into an execution slice. It then loops over the command arguments and performs literal variable expansion using Go's standard library os.Expand function. The expansion relies on a custom mapping function that returns the unauthenticated user-supplied credentials directly from the incoming HTTP POST request.

Because os.Expand performs textual replacement without sanitizing shell-specific characters, input fields containing shell metacharacters are written directly into the arguments of the execution slice. If the target command runs within a shell interpreter, the shell parses and executes these injected metacharacters. Consequently, characters such as semicolons, pipes, or command substitutions trigger secondary OS command execution during the pre-authentication phase.

Code Analysis

To understand the vulnerable design pattern, compare the legacy implementation in auth/hook.go with the corrected logic introduced in version 2.63.6.

// Vulnerable Implementation (auth/hook.go <= v2.63.5)
func (a *HookAuth) RunCommand() (string, error) {
	command := strings.Split(a.Command, " ")
	envMapping := func(key string) string {
		switch key {
		case "USERNAME":
			return a.Cred.Username // Unsanitized credential payload
		case "PASSWORD":
			return a.Cred.Password // Unsanitized credential payload
		default:
			return os.Getenv(key)
		}
	}
	for i, arg := range command {
		if i == 0 {
			continue
		}
		command[i] = os.Expand(arg, envMapping) // Command injection happens here
	}
 
	cmd := exec.Command(command[0], command[1:]...)
	cmd.Env = append(os.Environ(), fmt.Sprintf("USERNAME=%s", a.Cred.Username))
	cmd.Env = append(cmd.Env, fmt.Sprintf("PASSWORD=%s", a.Cred.Password))
    // ...
}
// Fixed Implementation (auth/hook.go >= v2.63.6)
func (a *HookAuth) RunCommand() (string, error) {
	command := strings.Split(a.Command, " ")
 
	cmd := exec.Command(command[0], command[1:]...)
	cmd.Env = append(os.Environ(), fmt.Sprintf("USERNAME=%s", a.Cred.Username))
	cmd.Env = append(cmd.Env, fmt.Sprintf("PASSWORD=%s", a.Cred.Password))
    // ...
}

In the patched version, the entire argument interpolation block using os.Expand has been removed. The static arguments of the command slice are passed without modifications. Instead of injecting credentials as part of the command arguments, the backend relies strictly on environment variables (cmd.Env) to pass the username and password details.

This architecture is safe because the Go standard library exec.Command implements low-level operating system process execution (using execve on POSIX systems or CreateProcess on Windows). System calls do not invoke a command-line shell by default unless an interpreter is explicitly specified as the target binary. Passing raw credential data through environment variables ensures that the data is never evaluated as command code, eliminating the parsing step that enabled the injection vector.

Exploitation

An unauthenticated attacker can exploit CVE-2026-54088 by sending a specially crafted HTTP POST request to the /api/login endpoint of a vulnerable File Browser instance. The attack requires no pre-existing valid credentials or active session. The attacker must only ensure that the Hook Authentication feature is configured and active on the target server.

The payload is placed directly within the JSON request body, using either the username or password keys. An attacker injects command separators or backticks containing OS-level commands into these fields. During processing, the backend invokes the Hook script and substitutes the malicious payload string. The shell interprets the metacharacters, executing the injected payloads immediately.

A public proof of concept (PoC) repository (Saku0512/CVE-2026-54088-poc) demonstrates this execution path. It sends a request containing a semicolon separator followed by system utility calls. The following flow diagram illustrates the step-by-step path from remote request to local execution:

Impact Assessment

The impact of CVE-2026-54088 is rated with critical severity, carrying a CVSS 4.0 base score of 9.3. Successful exploitation yields immediate, unauthenticated remote command execution under the security context of the user running the File Browser service. The attacker achieves full execution capability before any access validation takes place.

The compromised system allows attackers to read and alter all files managed by File Browser. Additionally, they can read configuration files, extract system credentials, and install rootkits or persistent backdoors. Depending on network topology, this system can also serve as a launchpad to pivot into local or private subnets.

While dockerized installations of File Browser restrict initial access to the container filesystem, container escape risks remain if the service runs with elevated privileges. In bare-metal installations, the compromise is direct and can lead to complete host takeover. The threat potential is high for internet-exposed file management services that hold business-critical storage volumes.

Remediation

Administrators should update File Browser instances to version 2.63.6 or later immediately. This patch removes the vulnerable os.Expand routine and safely encapsulates credential passing through the process environment block. Upgrading resolves the underlying parsing vulnerability without requiring modifications to external verification scripts.

If upgrading is not immediately possible, the Hook Authentication feature should be disabled. Reverting to database-backed authentication removes the vulnerability, as the default database backend does not spawn external shell processes. Transitioning to another external authentication mechanism like LDAP is also a viable mitigation path.

As a temporary layer of defense, organizations can deploy WAF signatures to detect malicious patterns targeting the /api/login endpoint. Specifically, WAF rules should filter incoming requests containing typical command injection characters in the username and password payload fields. These rules act as a stopgap and must not substitute for the vendor-issued patch.

Official Patches

filebrowserCommit fixing command expansion in hook auth
filebrowserGitHub Security Advisory

Fix Analysis (1)

Technical Appendix

CVSS Score
9.3/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS Probability
0.53%
Top 59% most exploited
12,000
via Shodan

Affected Systems

File Browser (all deployments using Hook Authentication prior to 2.63.6)

Affected Versions Detail

Product
Affected Versions
Fixed Version
filebrowser
filebrowser
< 2.63.62.63.6
AttributeDetail
CWE IDCWE-78
Attack VectorNetwork (AV:N)
CVSS Score9.3 (Critical)
EPSS Score0.00533 (Percentile: 41.19%)
ImpactPre-Authentication Remote Code Execution
Exploit StatusPublic Proof-of-Concept Available
CISA KEV StatusNot Listed

MITRE ATT&CK Mapping

T1059Command and Scripting Interpreter
Execution
T1190Exploit Public-Facing Application
Initial Access
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Known Exploits & Detection

GitHubProof of Concept exploit for CVE-2026-54088

Vulnerability Timeline

Henrique Dias patches the vulnerability in official repository (v2.63.6 release)
2026-06-03
CVE-2026-54088 is officially published to the CVE list
2026-06-25
Public Proof-of-Concept exploit code is released by researcher saku0512
2026-06-28

References & Sources

  • [1]NVD - CVE-2026-54088
  • [2]CVE - CVE-2026-54088
  • [3]File Browser v2.63.5 Vulnerable auth/hook.go Source Code
  • [4]Saku0512 Public PoC Repository

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•17 minutes ago•CVE-2026-54069
9.1

CVE-2026-54069: Authentication Bypass in SiYuan Note via Origin Header Spoofing

CVE-2026-54069 is a critical authentication bypass vulnerability in the SiYuan Note personal knowledge management system. The flaw is located in the HTTP server's middleware handling API authorization, which unconditionally trusts requests carrying a 'chrome-extension://' scheme in the Origin HTTP header, granting administrative access without validating API tokens.

Alon Barad
Alon Barad
1 views•5 min read
•about 1 hour ago•CVE-2026-54089
9.1

CVE-2026-54089: Authentication Bypass by Spoofing in File Browser

CVE-2026-54089 is a critical authentication bypass vulnerability in File Browser affecting instances configured with proxy-based authentication. An unauthenticated remote attacker with direct network access can impersonate arbitrary users or register new accounts by spoofing configured HTTP headers.

Amit Schendel
Amit Schendel
3 views•7 min read
•about 1 hour ago•GHSA-99J7-FHR2-XFJ4
10.0

GHSA-99J7-FHR2-XFJ4: Malicious Remote Code Execution Payload in 'exploration' Cargo Crate

The malicious Cargo package 'exploration' was uploaded to the crates.io registry. During compilation or package import, the crate executes code designed to establish an outbound TCP/HTTP connection, download an external second-stage binary, and execute the binary locally on the host machine. This creates an unauthenticated remote code execution vector impacting developer environments and continuous integration pipelines.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 2 hours ago•GHSA-QV4M-M73M-8HJ7
8.8

GHSA-qv4m-m73m-8hj7: Authenticated Arbitrary File Upload leading to Remote Code Execution in NotrinosERP

An authenticated remote code execution vulnerability exists in NotrinosERP (versions up to and including 1.0.0) within the Human Resource Management (HRM) module. Users with employee management permissions can upload arbitrary file types, including PHP scripts, which are written directly to a web-accessible directory. This allows for arbitrary code execution in the context of the web-server user.

Alon Barad
Alon Barad
3 views•6 min read
•about 3 hours ago•GHSA-XRMC-C5CG-RV7X
8.8

GHSA-XRMC-C5CG-RV7X: Security Bypass Vulnerability in safeinstall-cli Command Parser

A high-severity security bypass vulnerability exists in safeinstall-cli up to version 0.10.1. Due to multiple logical limitations in its shell command parsing mechanism (guard-parser), attackers can craft specific shell commands that completely evade the Agent Guard interceptor hooks. This allows arbitrary unverified installations and code executions on the developer system when executed by AI coding agents.

Alon Barad
Alon Barad
4 views•7 min read
•about 3 hours ago•GHSA-WM45-QH3G-V83F
7.7

GHSA-WM45-QH3G-V83F: Arbitrary Server-Side File Read and Exfiltration via Attachment Upload in mcp-atlassian

An arbitrary server-side file read vulnerability exists in the mcp-atlassian integration server. Remote clients utilizing SSE or HTTP transports can exploit the lack of directory containment on attachment-upload tools to resolve and read arbitrary host files, exfiltrating them directly to Atlassian Jira or Confluence.

Amit Schendel
Amit Schendel
4 views•8 min read